Update now! October patch Tuesday fixes actively used zero-day…but not the one you expected
Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification ‘Critical’. Among them are a zero-day vulnerability that’s being actively exploited, and another that hasn’t been spotted in the wild yet.
The bad news is that the much-desired fix for the “ProxyNotShell” Exchange vulnerabilities was not included.
What was fixed
A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.
As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.
The actively exploited vulnerability in this month’s batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a ‘Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.
This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.
Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users’ authentication tokens.
What wasn’t fixed
The Exchange Server “ProxyNotShell” vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.
Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:
- Adobe released security updates to fix 29 vulnerabilities in several products.
- Apple published iOS 16.0.3.
- Fortinet released important security updates.
- Google patched several vulnerabilities for Android.
- Samsung has started rolling out October 2022 security updates for some of its devices.
- SAP has released updates for several of its products.
- VMware published security advisory VMSA-2022-0025.
- Xiaomi released the October 2022 Security Patch Update tracker.
That should be enough to keep you busy, et patching!