It’s the second week of the month, which means it’s time for Microsoft’s scheduled monthly security update. As has become all too familiar with Microsoft users, this month’s Patch Tuesday update confirms yet more Zero-Day (0Day) security vulnerabilities, including one that Microsoft says is being actively exploited.
October Patch Tuesday: 84 vulnerabilities, 13 critical-rated, 2 zero-days
With some 84 vulnerabilities, this is far from the biggest Patch Tuesday event of the year. However, 13 have a critical severity rating, and two are 0Days.
Microsoft defines an 0Day as a security vulnerability with no official fix available when it is publicly disclosed or found to be under active attack.
In the case of CVE-2022-41033, which Microsoft confirms is being actively exploited in the wild but provides no further exploitation information, it impacts most every version of Windows. “All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable,” Mike Walters, vice-president of vulnerability and threat research at Action1, said.
Why is fixing CVE-2022-41033 so important?
It doesn’t get the highest severity classification, coming in with a CVSS rating of 7.8. Still, Walters says, “there has been an exploit for this vulnerability for a long time now, and it can be easily combined with an RCE exploit.” This ups the security stakes somewhat, as this elevation-of-privilege vulnerability can give an attacker full system privileges. Sure, the mitigating factor is that to exploit CVE-2022-41033 successfully, an attacker needs local access, but exploit-chaining quickly dilutes that. Aimed at the Windows COM+ Event System, which launches with the operating system by default, this vulnerability needs to be patched as soon as possible.
Some 39 of the vulnerabilities addressed are elevation-of-privilege in nature, which comes as little surprise as these are amongst the most valuable security flaws in an attacker mindset.
You can find more details of all the vulnerabilities that have been fixed by the October Patch Tuesday update at this excellent Sans Internet Storm Center resource which includes CVE links to the National Institute of Standards And Technology (NIST) National Vulnerability Database.
Microsoft fails to fix two Exchange Server 0Days still being exploited
Unfortunately, there remain two zero-day vulnerabilities, still actively exploited by attackers, that Microsoft has yet to fix. Namely CVE-2022-41040 and CVE-2022-41082, which I reported on last month. Fixes for the Exchange Server 0Day vulnerabilities are, Microsoft confirmed, not included and will be released “when they are ready.”