Microsoft released updates to fix 121 CVEs on August 2022 Patch Tuesday, including two zero-day flaws, one of which is being actively exploited in the wild.
The actively exploited zero-day flaw has been dubbed DogWalk and is a vulnerability in the Windows Support Diagnostic Tool (MSDT). If exploited, an attacker could remotely execute arbitrary code on vulnerable systems. The flaw is tracked as CVE-2022-34713 and an exploit for the flaw is in the public domain. CISA has recently issued a warning to patch the flaw immediately to prevent exploitation. The flaw is not new, however. It was first identified in 2019 by security researcher Imre Rad but was misclassified as not posing a security risk. While the flaw allows RCE, it has been assigned a CVSS v3.1 severity core of 7.8, as the flaw requires user interaction to exploit, such as the opening of a specially crafted file sent in a phishing email.
The second zero-day is an information disclosure vulnerability in Microsoft Exchange Server. While the flaw has been publicly disclosed ahead of a patch being released, no functional exploit code has been released to date. The flaw is tracked as CVE-2022-30134 and has been assigned a CVSS v3.1 severity score of 7.6.
An update including 121 CVEs is a 325% increase from the previous month, and there have also been 20 flaws fixed in Microsoft Edge (Chromium-based), which brings the total up to 141. 17 of the 121 flaws are rated critical and 104 are rated important. Three of the critical vulnerabilities have a CVSS v3.1 severity score of 9.8 out of 10, so these along with the actively exploited zero-day bug should be prioritized. The flaws are CVE-2022-30133 and CVE-2022-35744, which are both vulnerabilities in the Windows Point-to-Point Protocol (PPP), and CVE-2022-34691 is a privilege escalation flaw in Active Directory Domain Services.