You can’t always get what you want on Patch Tuesday

Credit to Author: Angela Gunn| Date: Tue, 11 Oct 2022 17:47:47 +0000

Microsoft on Tuesday released patches for 82 vulnerabilities in six Microsoft product families. This includes 14 Critical-class issues affecting Azure, Office, SharePoint, and Windows. Once again the majority of CVEs affect Windows; the operating system takes the lion’s share of the CVEs with 67, followed by five for Office and four for SharePoint. Azure admins get some respite this month with just three patches for that platform (including one for Service Fabric), and Visual Studio and .NET together account for another three.

One vulnerability (CVE-2022-41043), an information disclosure bug in Office, has been publicly disclosed. Another (CVE-2022-41033), an elevation of privilege flaw in the COM+ Event System Service, has been exploited. The remaining issues remain undisclosed and unexploited, according to Microsoft. Notable by their absence are the two high-profile Exchange Server vulnerabilities (CVE-2022-41040, CVE-2022-41082), both of which were in the news last week. Since the public disclosure of the two issues, Microsoft has issued several rounds of mitigations and guidance for what appears to be a close variant of the legendary ProxyShell attack.

By the Numbers

  • Total Microsoft CVEs: 82
  • Total advisories shipping in update: 0
  • Publicly disclosed: 1
  • Exploitation detected: 1
  • Exploitation more likely in latest version: 12
  • Exploitation more likely in older versions: 13
  • Severity
    • Critical: 14
    • Important: 68
    • Moderate: 0
    • Low: 0
  • Impact
    • Elevation of Privilege: 37
    • Remote Code Execution: 21
    • Information Disclosure: 10
    • Denial of Service: 8
    • Spoofing: 3
    • Security Feature Bypass: 3

Bar chart showing distribution of critical- and important-class severities across impact classes for October 2022

Figure 1: Far more elevation-of-privilege issues addressed this month, but fully half the remote-code execution issues are Critical-class

  • Products:
    • Microsoft Windows: 67
    • Microsoft Office: 5
    • SharePoint: 4
    • Azure (including Service Fabric): 3
    • Visual Studio: 2
    • .NET: 1

bar chart showing a very Windows-heavy load of patches for October 2022

Figure 2: Windows, Windows, Windows

Notable Vulnerabilities

Not Present: Exchange

System administrators should continue to monitor Microsoft communications for changes and updates regarding the two active Exchange Server vulnerabilities. Sophos will continue to add protections as those become available.

CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerabilities

A collection of no fewer than seven Critical remote code execution bugs in the Windows Point-to-Point Protocol (PPTP). Microsoft assesses these are all less likely to be exploited, and there doesn’t look to be any in-the-wild exploitation at the time of going to press. According to the CVSS metric, the attack complexity is high; an attacker would have to craft a malicious PPTP packet, send it to a PPTP server, and win a race condition in order to obtain remote code execution.

CVE-2022-38048, CVE-2022-38049, CVE-2022-41031: Office/Word Remote Code Execution Vulnerabilities

Several Critical Office vulnerabilities this month, which could lead to remote code execution if successfully exploited. It’s worth noting that with all three of these bugs, the attack vector itself is local, and user interaction is required. An attacker would need to craft a file designed to exploit the vulnerability and send the file to a victim – so there’d probably be an element of social engineering involved as well. While the bugs are rated Critical, there are some upsides: Microsoft assesses exploitation as less likely in both older and newer product versions, and the Preview Pane isn’t an attack vector.

CVE-2022-37987 and CVE-2022-37989: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerabilities

A brace of Important privilege escalation vulnerabilities in the Windows Client Server Run-time Subsystem (CSRSS), both of which are rated as more likely to be exploited in both older and newer versions and could result in an attacker gaining SYSTEM privileges. As with most of the bugs so far this month, there’s no evidence they’ve been exploited in the wild or publicly disclosed.

CVE-2022-38022: Windows Kernel Elevation of Privilege Vulnerability

An odd little item with a very low (3.1) CVSS, this vuln is interesting not because what it does is so hilariously specific – as per Microsoft, the ability to delete an empty folder on a file system – but because it’s a reminder that in a world of chained attacks, a tiny flaw such as this should be patched because it can be part of a bigger attack sequence.

Cumulative bulletin tally for 2022

Figure 3: Elevation of privilege continues to dominate the patches released in 2022

Sophos protection

 

(Ever wondered about behavior names, by the way? Sophos’ naming conventions line up with the MITRE ATT&CK framework. Details are available elsewhere on our site.)

As you can every month, if you don’t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your particular system’s architecture and build number.

http://feeds.feedburner.com/sophos/dgdY