• March 23, 2023

Giada De Laurentiis Leans Into Her 5 Million Fans With Giadzy, A New Multi-Pronged Venture

Italian cook and TV personality Giada De Laurentiis has two people to thank for the success of Giadzy, her latest venture on Amazon AMZN : her Italian family and Neil Sequeira, …

JPMorgan Chase Named ‘Top Dividend Stock Of The Dow’ At Dividend Channel With 3.1% Yield

JPMorgan Chase JPM has been named as the ”Top Dividend Stock of the Dow”, according to Dividend Channel, which published its most recent ”DividendRank” report. The report noted that among the …

Instant Impact – A Rapid Approach For Showcasing Data Value

The odds are not in your favour; most investments in data fail to generate value. I recently spoke with a CEO of a large organisation, who confidently and factually stated, “I …

It’s the second week of the month, which means it’s time for Microsoft’s scheduled monthly security update. As has become all too familiar with Microsoft users, this month’s Patch Tuesday update confirms yet more Zero-Day (0Day) security vulnerabilities, including one that Microsoft says is being actively exploited.

October Patch Tuesday: 84 vulnerabilities, 13 critical-rated, 2 zero-days

With some 84 vulnerabilities, this is far from the biggest Patch Tuesday event of the year. However, 13 have a critical severity rating, and two are 0Days.

Microsoft defines an 0Day as a security vulnerability with no official fix available when it is publicly disclosed or found to be under active attack.

In the case of CVE-2022-41033, which Microsoft confirms is being actively exploited in the wild but provides no further exploitation information, it impacts most every version of Windows. “All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable,” Mike Walters, vice-president of vulnerability and threat research at Action1, said.

Why is fixing CVE-2022-41033 so important?

It doesn’t get the highest severity classification, coming in with a CVSS rating of 7.8. Still, Walters says, “there has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit.” This ups the security stakes somewhat, as this elevation-of-privilege vulnerability can give an attacker full system privileges. Sure, the mitigating factor is that to exploit CVE-2022-41033 successfully, an attacker needs local access, but exploit-chaining quickly dilutes that. Aimed at the Windows COM+ Event System, which launches with the operating system by default, this vulnerability needs to be patched as soon as possible.


Some 39 of the vulnerabilities addressed are elevation-of-privilege in nature, which comes as little surprise as these are amongst the most valuable security flaws in an attacker mindset.

You can find more details of all the vulnerabilities that have been fixed by the October Patch Tuesday update at this excellent Sans Internet Storm Center resource which includes CVE links to the National Institute of Standards And Technology (NIST) National Vulnerability Database.

Microsoft fails to fix two Exchange Server 0Days still being exploited

Unfortunately, there remain two zero-day vulnerabilities, still actively exploited by attackers, that Microsoft has yet to fix. Namely CVE-2022-41040 and CVE-2022-41082, which I reported on last month. Fixes for the Exchange Server 0Day vulnerabilities are, Microsoft confirmed, not included and will be released “when they are ready.”


Leave a Reply

Your email address will not be published.