Microsoft released fixes for a Windows zero-day and a publicly disclosed vulnerability on Patch Tuesday in October, but security updates for two Exchange Server zero-days discovered last month are still in limbo.
In total, Microsoft addressed 89 unique CVEs this month with five of the security updates that were rereleased in August to address issues affecting Exchange Server functionality. Thirteen of October’s Patch Tuesday security updates were rated critical.
Windows zero-day tops patching priority list
The Windows zero-day is an elevation of privilege vulnerability in Windows COM+ Event System Service (CVE-2022-41033) that is rated critical. This bug requires no user interaction and successful exploitation of the vulnerability could give the attacker system privileges.
This zero-day affects every supported Windows operating system, including Windows 7 and Windows Server 2008/R2 in the Extended Security Updates program, which should give administrators an additional incentive to implement the October Patch Tuesday fixes immediately .
“It’s only considered important, but because it’s being exploited in the wild, there’s a greater risk involved. People should give this more urgent priority,” said Chris Goettl, vice president of product management for security products at Ivanti, an IT company. company. and endpoint management company.
Outlook for Mac public disclosure fixed
The disclosure is an information disclosure vulnerability in Microsoft Office (CVE-2022-41043) that is considered important for two products running on macOS: Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. This bug is specifically targeting Outlook for Mac, and Microsoft determined the preview pane was not an attack vector for the vulnerability. Successful exploitation of this flaw could allow an attacker to retrieve user tokens or other sensitive information. The Common Vulnerability Scoring System (CVSS) score is relatively low at 3.3, indicating that the danger is minimal.
“Although it was made public, the maturity of the code is still listed as unproven, so no real samples of exploit code are available,” Goettl said. “While the disclosure certainly points to a problem, a threat actor doesn’t have a workable sample to start with right away.”
Exchange Server zero days remain unpatched
Unlike the previous restrictive instructions for: two Exchange Server zero daysMicrosoft had no further relief for administrators who had to act quickly after a September 29 blog from the Microsoft Security Response Center indicated that the local email platform was under attack.
The company revealed an elevation of privilege vulnerability in Exchange Server (CVE-2022-41040) and an Exchange Server remote code execution vulnerability (CVE-2022-41082) — security researcher Kevin Beaumont called the pair of CVEs ProxyNotShell — and provided guidance To protect Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, Microsoft has identified an attacker to authenticate to exploit Exchange zero-day.
On October’s Patch Tuesday, Microsoft distributed its Exchange Server security updates for October, but indicated that the two zero-day bugs in the release had been fixed. The company said the zero-day patches would be released when they were ready.
Microsoft has released a URL rewrite rule restriction for CVE-2022-41040 and advised customers to disable remote PowerShell for any non-administrator user to stop attacks based on the CVE-2022-41082 vulnerability.
Microsoft has released several updates to the URL rewrite rule restriction to stop specific patterns. Customers who have enabled the Exchange Emergency Mitigation Service (EEMS) — available after installing the September 2021 or later Cumulative Update (CU) on Exchange Server 2016 or Exchange Server 2019 — or who have used a Microsoft tool called Exchange On-premises Mitigation Tool v2 on this link got these defensive changes automatically. Without these measures, administrators would have to manually update the IIS Manager on Exchange Server.
Also related to Exchange Server, as of August Patch Tuesday, Microsoft has reissued five CVEs (CVE-2022-21979, CVE-2022-21980, CVE-2022-24516, CVE-2022-24477, and CVE-2022-30134) to address issues with Outlook to correct probes. According to the company, the issues stem from the Windows Extended Protection feature that was introduced with the August Exchange Server security updates. Due to the effort involved in patching Exchange and the risk of unintended email downtime, some customers may want to wait to install the October Exchange security updates.
“Unless the Outlook testing functionality is critical to you for some reason, it’s probably best to wait for the zero-day fixes, which I suspect will be released out-of-band in rather than in any other month,” Goettl said.
Other Security Updates Important for October Patch Tuesday
An elevation of privilege vulnerability (CVE-2022-37968) that is rated critical in the cluster connectivity feature of Azure Arc-enabled Kubernetes clusters has the highest possible CVSS rating of 10. An attacker attacking the randomly generated external DNS finds endpoint for the cluster and successfully exploits this flaw could gain administrative control over the Kubernetes cluster. Customers will either want to follow the manual update throttling guidelines or use the automatic upgrade option to receive the fix.
Two elevation of privilege vulnerabilities affecting Active Directory require immediate administrator attention. CVE-2022-37976 is a critical flaw in Active Directory Certificate Services with a CVSS rating of 8.8 and CVE-2022-38042 is a critical flaw in Active Directory Domain Services. Microsoft indicated that successful exploitation of either vulnerability could give the attacker domain administrator rights.