The Microsoft October 2022 Security Updates includes patches and advisories for 84 vulnerabilities, including 2 zero-day and 13 Critical severity issues.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:
- Active Directory Domain Services
- Azure
- Azure Arc
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft WDAC OLE DB provider for SQL
- NuGet Client
- Remote Access Service Point-to-Point Tunneling Protocol
- Role: Windows Hyper-V
- Service Fabric
- Visual Studio Code
- Windows Active Directory Certificate Services
- Windows ALPC
- Windows CD-ROM Driver
- Windows COM+ Event System Service
- Windows Connected User Experiences and Telemetry
- Windows CryptoAPI
- Windows Defender
- Windows DHCP Client
- Windows Distributed File System (DFS)
- Windows DWM Core Library
- Windows Event Logging Service
- Windows Group Policy
- Windows Group Policy Preference Client
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Local Security Authority (LSA)
- Windows Local Security Authority Subsystem Service (LSASS)
- Windows Local Session Manager (LSM)
- Windows NTFS
- Windows NTLM
- Windows ODBC Driver
- Windows Perception Simulation Service
- Windows Point-to-Point Tunneling Protocol
- Windows Portable Device Enumerator Service
- Windows Print Spooler Components
- Windows Resilient File System (ReFS)
- Windows Secure Channel
- Windows Security Support Provider Interface
- Windows Server Remotely Accessible Registry Keys
- Windows Server Service
- Windows Storage
- Windows TCP/IP
- Windows USB Serial Driver
- Windows Web Account Manager
- Windows Win32K
- Windows WLAN Service
- Windows Workstation Service.
ProxyNotShell not addressed
Unfortunately, Microsoft has not yet patched two actively exploited zero-day vulnerabilities, dubbed “ProxyNotShell” (CVE-2022-41040 and CVE-2022-41082 released September 30, 2022).
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft wrote in a blog post.
Microsoft is aware of exploits against the zero-days affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
CISA also confirmed these zero-days were also under limited targeted attacks in the wild, as reported earlier this month.
Zero-days
Microsoft fixed two (2) zero-day vulnerabilities:
- CVE-2022-41033: Windows COM+ Event System Service Elevation of Privilege (EoP) Vulnerability (CVSS 7.8)
- CVE-2022-41043: Microsoft Office Information Disclosure Vulnerability (CVSS 3.3)
The most severe of the zero-days (CVE-2022-41033) could allow an attacker who successfully exploited this vulnerability to gain SYSTEM privileges.
Critical RCE vulnerabilities
Microsoft addressed nine (9) Critical Remote Code Execution (RCE) vulnerabilities (with CVSS scores):
- CVE-2022-22035: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-24504: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-30198: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-33634: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-38000: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-38047: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-38048: Microsoft Office Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-41038: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-41081: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability (CVSS 8.1).
Of the Critical RCEs, only the SharePoint flaw CVE-2022-41038 was listed by Microsoft as “exploitation more likely.”
Critical EoP vulnerabilities
Moreover, Microsoft patched the following three (3) Elevation of Privilege (EoP) vulnerabilities:
- CVE-2022-37968: Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability (CVSS 10)
- CVE-2022-37976: Active Directory Certificate Services Elevation of Privilege Vulnerability (CVSS 8.8)
- CVE-2022-37979: Windows Hyper-V Elevation of Privilege Vulnerability (CVSS 7.8).
Regarding EoP CVE-2022-37966, Microsoft warned this vulnerability “could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster.”
“Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability,” Microsoft added.
Critical Spoofing vulnerability
In addition, Microsoft addressed one Critical Windows CryptoAPI Spoofing Vulnerability CVE-2022-34689 (CVSS 75).
Microsoft also confirmed exploitation of this flaw is “more likely.”
Other vulnerabilities
Finally, Microsoft patched 69 other vulnerabilities rated Important in multiple products. Those issues include Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Spoofing, and Security Feature Bypass vulnerabilities.
Readers can review the October 2022 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.