Microsoft Patch Tuesday – October 2022

Microsoft patched 84 CVEs in its October 2022 Patch Tuesday release, with 13 rated as critical and 71 rated as important.

1. 13Critical
2. 71Important
3. 0 Moderate
4. 0 Low

This month’s update includes patches for:

• Active Directory Domain Services
• Azure
• Azure Arc
• Client Server Run-time Subsystem (CSRSS)
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft WDAC OLE DB provider for SQL
• NuGet Client
• Remote Access Service Point-to-Point Tunneling Protocol
• Role: Windows Hyper-V
• Service Fabric
• Visual Studio Code
• Windows Active Directory Certificate Services
• Windows ALPC
• Windows CD-ROM Driver
• Windows COM+ Event System Service
• Windows Connected User Experiences and Telemetry
• Windows CryptoAPI
• Windows Defender
• Windows DHCP Client
• Windows Distributed File System (DFS)
• Windows DWM Core Library
• Windows Event Logging Service
• Windows Group Policy
• Windows Group Policy Preference Client
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kernel
• Windows Local Security Authority (LSA)
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Local Session Manager (LSM)
• Windows NTFS
• Windows NTLM
• Windows ODBC Driver
• Windows Perception Simulation Service
• Windows Point-to-Point Tunneling Protocol
• Windows Portable Device Enumerator Service
• Windows Print Spooler Components
• Windows Resilient File System (ReFS)
• Windows Secure Channel
• Windows Security Support Provider Interface
• Windows Server Remotely Accessible Registry Keys
• Windows Server Service
• Windows Storage
• Windows TCP/IP
• Windows USB Serial Driver
• Windows Web Account Manager
• Windows Win32K
• Windows WLAN Service
• Windows Workstation Service

Microsoft still has yet to release patches for the two Exchange vulnerabilities that were reported as being actively exploited last week. Admins should continue to follow Microsoft’s guidance on workarounds until official fixes are released.

Active Directory Certificate Services EoP vulnerability

CVE-2022-37976 is an EoP vulnerability affecting Active Directory Certificate Services. A malicious Distributed Component Object Model (DCOM) client could be used to entice a DCOM server to authenticate to the client, allowing an attacker to perform a cross-protocol attack and gain domain administrator privileges. With CVSS 3.1 score of 8.8, rated as Exploitation Less Likely.

Azure Arc-enabled Kubernetes cluster connect EoP vulnerability

CVE-2022-37968 is an EoP vulnerability in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. With a CVSSv3 score of 10, the highest possible rating, an unauthenticated attacker could exploit this vulnerability to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must act to manually upgrade Azure Arc-enabled Kubernetes clusters.

Windows COM+ Event System Service EoP vulnerability – Zeroday

CVE-2022-41033 is an EoP vulnerability in the Windows COM+ Event System Service, which enables system event notifications for COM+ component services. It received a CVSSv3 score of 7.8. An authenticated attacker could exploit this vulnerability to elevate privileges on a vulnerable system and gain SYSTEM privileges. This vulnerability has been exploited in the wild, though no additional information was shared.

Windows Print Spooler EoP vulnerability

CVE-2022-38028 is an EoP vulnerability in Windows Print Spooler components that received a CVSSv3 score of 7.8 and was rated Exploitation More. Exploitation would allow an attacker to gain SYSTEM privileges. The flaw was disclosed to Microsoft by the National Security Agency. This marks the third EoP vulnerability in Windows Print Spooler credited to the NSA this year, following CVE-2022-29104 and CVE-2022-30138 in May.

Microsoft SharePoint Server RCE vulnerability

CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated Exploitation More Likely and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

Windows Kernel EoP vulnerability

CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. Except for CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.

Microsoft Office information disclosure vulnerability -Zeroday

CVE-2022-41043 is an information disclosure vulnerability affecting Microsoft Office for Mac. While exploitation requires local access to the host, this was the only publicly disclosed vulnerability patched this month.

Microsoft Chromium Edge

Apart from patch Tuesday update release, numerous chromium edge vulnerabilities have been fixed earlier in the month.