Microsoft fixes two zero-day flaws in October 2022 Patch Tuesday
Some dangerous Windows bugs are fixed, others remainBy Alfonso Maruccia
TL;DR: Microsoft released a new series of patches designed to fix bugs in Windows and other popular software products. The most significant updates remedy a couple of zero-day flaws, but the two Exchange bugs discovered in recent weeks are still a danger for mail servers worldwide.
Patch Tuesday is an informal term used by Microsoft since October 2003, but nowadays it is widely accepted as the right time of the month to release new security updates. Being one of the biggest software platforms around, Windows plays a major role in October's Patch Tuesday scheduled updates.
The October 2022 Security Updates released by Microsoft include fixes for 84 security flaws found in different components of Windows (from the Kernel to the CD-ROM Driver), Microsoft Edge, Azure, Active Directory Domain Services, Visual Studio Code, the NTFS file system, TCP/IP, the Win32K API and many other products or features. Thirteen vulnerabilities are classified as "Critical," as they pose the gravest danger to servers and consumer systems.
The aforementioned 84 bugs include 39 elevation of privilege vulnerabilities, two security feature bypass vulnerabilities, 20 remote code execution vulnerabilities, 11 information disclosure vulnerabilities, eight Denial of Service vulnerabilities and four spoofing vulnerabilities. A dozen additional flaws in the Edge browser are not included as they were already fixed on October 3.
The October 2022 Patch Tuesday includes fixes for two zero-day bugs, a kind of vulnerability which has been already publicly disclosed or it is being actively exploited in attacks. The actively exploited zero-day flaw is classified as Windows COM+ Event System Service Elevation of Privilege Vulnerability (CVE-2022-41033). According to Microsoft, an attacker who "successfully exploited this vulnerability could gain SYSTEM privileges" while having a local access to the targeted system.
The publicly disclosed bug is Microsoft Office Information Disclosure Vulnerability (CVE-2022-41043), and attackers could use it to disclose user tokens or "other potentially sensitive information". The CVE-2022-41033 flaw was seemingly discovered by an "anonymous" researcher, Microsoft says, while CVE-2022-41043 was found by SpecterOps security researcher Cody Thomas.
Unfortunately for companies and professional users, this month's Patch Tuesday does not include a proper fix for the previously disclosed zero-day bugs in Microsoft Exchange. The Redmond corporation is asking sysadmins to apply the mitigations already recommended at the end of September, as the company will clearly need more time to create the patches.