Microsoft developers have released October patches for their products. In total, more than 80 vulnerabilities were fixed this month, including bugs actively exploited by hackers. However, there are still no patches for recent issues in Exchange called ProxyNotShell.
Among this month’s vulnerabilities, 15 are rated critical (allowing privilege escalation, spoofing, or remote code execution), and another 69 are rated important. It is also worth noting that 12 separate issues have been fixed in the Edge browser.
As part of the October “Update Tuesday”, the company fixed two zero-day vulnerabilities at once, one of which was actively used by hackers, and information about the other was publicly available before the release of the patch.
The first 0-day reported to developers by an anonymous researcher was CVE-2022-41033 (CVSS score 7.8) and was associated with privilege escalation in the Windows COM+ Event System Service.
“An attacker who successfully exploited this vulnerability could gain System-level privileges,” the developers warn.
The second 0-day that was disclosed prior to the release of the patch is CVE-2022-41043 (CVSS 3.3) with disclosure in Microsoft Office. The bug was discovered by a specialist from SpecterOps. Microsoft explains that attackers could use this vulnerability to gain access to user authentication tokens.
However, the most dangerous issue, fixed in October, can be called CVE-2022-37968 associated with privilege escalation in Azure Arc Connect. This vulnerability received the maximum score of 10 out of 10 on the CVSS scale. The bug is related to the cluster connectivity feature in Azure Arc-enabled Kubernetes clusters and can be used by an unauthenticated attacker to take control of the cluster at the administrator level.
It should also be noted that, unfortunately, this month’s patches do not include fixes for ProxyNotShell issues (CVE-2022 -41040 and CVE-2022-41082) that were discovered last month. Let me remind you that these bugs in Exchange have been under attack for some time, and Microsoft only offers administrators workarounds to temporarily fix the problem. In addition, the company’s protective recommendations have changed several times already, as security researchers continue to discover that these measures can be easily bypassed.
Alas, Microsoft representatives do not indicate when users can expect the release of fixes for Exchange Server.