Microsoft fixed a total of 63 vulnerabilities on Tuesday’s update in September. These include five vulnerabilities that Microsoft classifies as critical and two 0-day vulnerabilities.
On Patch Day on September 13, Microsoft provided a number of updates that fix 63 vulnerabilities. That’s only about half as many as in August. Microsoft classifies five vulnerabilities as critical and identifies the rest as high risk. The gaps affect Windows, Office and Dynamics 365, among others. A Windows vulnerability (CVE-2022-37969) is already being used for attacks. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog – always with an eye on admins who look after company networks.
The most recent security update for Edge is version 105.0.1343.27 from September 2nd. It is based on Chromium 105.0.5195.102 and fixes a 0-day vulnerability. Google released a corresponding security update for Chrome on September 2nd. Microsoft released an update to Edge 105.0.1343.33 on September 8th, but it does not fix any other vulnerabilities.
Microsoft fixed seven vulnerabilities in its Office products in September. Microsoft identifies all as high risk. They are suitable for injecting and executing code (RCE: Remote Code Execution). Four of them relate in particular to Sharepoint. These Sharepoint vulnerabilities are reminiscent of a similar vulnerability that Iranian attackers used to recently attack Albanian authorities. The five RCE vulnerabilities in the ODBC driver can be used to attack Access users with crafted MDB files.
Vulnerabilities in Windows
The majority of vulnerabilities, 48 this month, are spread across the various Windows versions (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.
Windows under attack
The CVE-2022-37969 vulnerability in the common log file system driver is already being exploited for attacks. In a typical scenario, a registered user opens a specially crafted file. This contains malicious code that runs with system privileges. Four security companies have reported the vulnerability to Microsoft, suggesting a broader attack. Microsoft identifies this vulnerability as high risk.
A second 0-day vulnerability classified as high risk (CVE-2022-23960) only affects Windows 11 for ARM-based systems. The data leak is in ARM CPUs and is also known as “Spectre-BHB”. The gap was already publicly known in advance, but no attacks on it have been observed.
Critical Windows vulnerabilities
In Windows, Microsoft has eliminated three vulnerabilities classified as critical. Two of the vulnerabilities (CVE-2022-34721, -34722) affect the Internet Key Exchange (IKE) protocol and could be exploited to inject and execute code. The third vulnerability identified as critical (CVE-2022-34718) was discovered by an external security researcher in the TCP/IP stack. If the IPSec service is active, an attacker could inject code using crafted IPv6 packets and execute it with elevated privileges.
RCE vulnerabilities in codecs
The manufacturer has fixed a security vulnerability (CVE-2022-38019) in the video codec AV1 from the Microsoft Store, as well as in the extension for raw photo files (CVE-2022-38011). Attackers could exploit both vulnerabilities to inject and execute code with prepared files (videos, photos). The updates are delivered automatically via the Microsoft Store, independently of the other Windows updates.
Vulnerabilities in Dynamics 365
In Dynamics 365 (on-site installation), Microsoft has closed two vulnerabilities that the manufacturer classifies as critical. A logged in user could launch SQL injection attacks and run arbitrary SQL commands in the Dynamics database as db_owner.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 36 vulnerabilities. These include the three above-mentioned vulnerabilities in Windows that have been identified as critical, as well as the 0-day vulnerability CVE-2022-37969.
Also in September there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is October 11, 2022.