Tech giant Microsoft on Tuesday released patches to eliminate 64 new security flaws in its software lineup, including a zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated critical, 57 are rated important, one is rated moderate, and one is rated low in severity. The patches are in addition to 16 vulnerabilities that Microsoft patched in its Chromium-based Edge browser earlier this month.
“In terms of published CVEs, this Patch Tuesday may appear lighter compared to other months,” Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.
“However, this month marked a major milestone for the calendar year, with MSFT fixing the 1,000th CVE of 2022 – likely on track to surpass 2021 which fixed 1,200 CVEs in total.”
The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), an elevation of privilege flaw affecting the Windows Common Log File System (CLFS) driver, which could be exploited by an adversary to obtain the SYSTEM privileges on an already compromised system. asset.
“An attacker must already have access and the ability to execute code on the target system. This technique does not allow remote code execution in cases where the attacker does not already have this ability on the target system “Microsoft said in a notice.
The tech giant credited four different groups of researchers from CrowdStrike, DBAPPSecurity, Mandiant and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, said Greg Wiseman, product manager at Rapid7, in a press release.
CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter having been addressed by Microsoft as part of its security updates. April 2022.
It’s not immediately clear if CVE-2022-37969 is a fix bypass for CVE-2022-24521. Other critical flaws to note are as follows –
- CVE-2022-34718 (CVSS Score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2022-34721 (CVSS Score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS Score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS Score: 8.8) – Microsoft Dynamics 365 Remote Code Execution Vulnerability (on-premises)
- CVE-2022-35805 (CVSS Score: 8.8) – Microsoft Dynamics 365 Remote Code Execution Vulnerability (on-premises)
“An unauthenticated attacker could send a specially crafted IP packet to a target machine running Windows that has IPSec enabled, which could allow remote code execution exploitation,” Microsoft said of CVE-2022. -34721 and CVE-2022-34722.
Microsoft also addressed 15 remote code execution flaws in Microsoft ODBC DriverMicrosoft OLE DB Provider for SQL Server and Microsoft SharePoint Server and five privilege escalation bugs covering Windows Kerberos and Windows kernel.
The September release is additionally notable for fixing another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to gain permissions at SYSTEM level.
Finally, the series of security updates includes a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that was disclosed earlier in March. .
“This class of vulnerabilities poses a big headache for organizations trying to mitigate them, as they often require updates to operating systems, firmware, and in some cases application recompilation and hardening,” Jogi said. “If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”
Software patches from other vendors
Apart from Microsoft, security updates have also been released by other vendors since the beginning of the month to fix dozens of vulnerabilities including –
#Microsofts #latest #security #update #fixes #flaws #including #day