The Microsoft September 2022 Security Updates includes patches and advisories for 63 vulnerabilities. Five of those are rated Critical severity, one that addresses a previously disclosed Spectre-BHP flaw, and a zero-day exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:
- .NET and Visual Studio
- .NET Framework
- Azure Arc
- Cache Speculation
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Network Device Enrollment Service (NDES)
- Role: DNS Server
- Role: Windows Fax Service
- SPNEGO Extended Negotiation
- Visual Studio Code
- Windows Common Log File System Driver
- Windows Credential Roaming Service
- Windows Defender
- Windows Distributed File System (DFS)
- Windows DPAPI (Data Protection Application Programming Interface)
- Windows Enterprise App Management
- Windows Event Tracing
- Windows Group Policy
- Windows IKE Extension
- Windows Kerberos
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows ODBC Driver
- Windows OLE
- Windows Photo Import API
- Windows Print Spooler Components
- Windows Remote Access Connection Manager
- Windows Remote Procedure Call
- Windows TCP/IP
- Windows Transport Security Layer (TLS).
Zero-day EoP exploit
Microsoft patched a zero-day Windows Common Log File System Driver Elevation of Privilege (EoP) vulnerability (CVE-2022-37969) exploited in the wild (CVSS score 7.8).
Microsoft confirmed exploits were detected and explained “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
The flaw affects multiple Windows server and desktop OS versions.
Moreover, Microsoft patched one of the previously disclosed Spectre-BHP vulnerabilities (Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability). The update only applies to Windows 11 for ARM64-based systems, which likely affects fewer organizations.
“In March 2022, researchers within the Systems and Network Security Group at Vrije Universiteit Amsterdam disclosed a new cache speculation vulnerability known as Branch History Injection (BHI) or Spectre-BHB. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim’s own hardware context,” arm Developer wrote in an advisory.
“Once that occurs, speculation caused by mispredicted branches can be used to cause cache allocation, which can then be used to infer information that should not be accessible,” arm Developer added.
Microsoft also addressed five (5) Critical Remote Code Execution (RCE) vulnerabilities:
- CVE-2022-34700: Microsoft Dynamics CRM (on-premises) RCE (CVSS 8.8)
- CVE-2022-34718: Microsoft Dynamics CRM (on-premises) RCE (CVSS 9.8)*
- CVE-2022-34721: Windows Internet Key Exchange (IKE) Protocol Extensions RCE (CVSS 9.8)
- CVE-2022-34722: Windows Internet Key Exchange (IKE) Protocol Extensions RCE (CVSS 9.8)
- CVE-2022-35805: Microsoft Dynamics CRM (on-premises) RCE (CVSS 8.8)
Note: Microsoft confirmed that exploitation of CVE-2022-34718 is “more likely.”
In addition, Microsoft patched 56 other vulnerabilities rated Important in multiple products. Those issues include Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Security Feature Bypass vulnerabilities.
- Microsoft August 2022 Security Updates addresses 121 vulnerabilities (17 Critical and 1 zero-day)
- Knotweed threat actors exploit Microsoft and Adobe 0-days and deliver Subzero malware
- Microsoft exposes and disables Polonium activity targeting Israeli organizations
- Microsoft issues workaround for Windows Support Diagnostic Tool “Follina” Vulnerability