Microsoft’s October Patch Tuesday update addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.
Of the 85 defects, 15 were assessed as Critical, 69 were assessed as Important and one was assessed with medium severity. The update, however, does not include mitigations for the ProxyNotShell flaws actively exploited in Exchange Server.
The patches come alongside updates to fix 12 other bugs in the Chromium-based Edge browser that have been released since the beginning of the month.
At the top of this month’s patch list is CVE-2022-41033 (CVSS score: 7.8), a privilege escalation vulnerability in the Windows COM+ Event System Service. An anonymous researcher is credited with reporting the issue.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, warning that the flaw is being actively weaponized in real-world attacks.
The nature of the flaw also means that the issue is likely to be linked to other flaws to escalate privilege and perform malicious actions on the infected host.
“This specific vulnerability is a local privilege escalation, meaning an attacker would already have to have code running on a host to use this exploit,” said Kev Breen, director of cyber threat research at Immersive Labs .
The other three elevation of privilege vulnerabilities noted relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Kubernetes-enabled Cluster Connect (CVE-2022-37968, CVSS score: 10.0).
Despite the “Least Likely Exploitation” tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could allow an “unauthenticated user to elevate their privileges as cluster administrators and potentially gain control over Kubernetes cluster”.
Elsewhere, CVE-2022-41043 (CVSS score: 3.3) — an information disclosure vulnerability in Microsoft Office — is listed as publicly known at the time of publication. It can be exploited to extract user credentials and other potentially sensitive information, Microsoft said.
Also fixed by Redmond are eight privilege escalation flaws in the Windows Kernel, 11 remote code execution flaws in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38028, CVSS Score: 7.8).
Finally, the Patch Tuesday update further addresses two additional privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Remote Server Service Protocol (CVE-2022-38045, CVSS score: 8.8).
Web security company Akamai, which discovered the two flaws, said they “take advantage of a design flaw that allows the bypass of [Microsoft Remote Procedure Call] security calls via caching.”
Software patches from other vendors
Apart from Microsoft, security updates have also been released by several vendors to fix dozens of vulnerabilities, including –
