October Patch Tuesday: 90+ Vulnerabilities Patched, but Not ProxyNotShell Flaws

Microsoft released patches to fix 96 vulnerabilities across its suite of products on October 2022 Patch Tuesday, including fixes for two zero-day vulnerabilities, one of which is being actively exploited in the wild. 13 of the patches address critical vulnerabilities, 71 are rated important, 1 is rated moderate, and the severity of 11 of the flaws is unknown.

In late September, Microsoft announced that two zero-day vulnerabilities had been identified that were being actively exploited in the wild. Mitigations were shared ahead of a patch being released, although those mitigations were discovered to be too narrow in scope, and did not fully prevent the flaws from being exploited. The vulnerabilities were dubbed ProxyNotShell due to their similarity to the ProxyShell vulnerabilities, with Microsoft saying patches were being developed on an accelerated timescale; however, patches for the two flaws – CVE-2022-41040 and CVE-2022-41082 – have not been included in the Patch Tuesday updates. Microsoft has confirmed that they will be released as soon as they are ready.

The two new zero days are an information disclosure vulnerability in Microsoft Office (CVE-2022-41043) and a privilege escalation vulnerability in the Windows COM+ Event System Service (CVE-2022-41033), both of which have been rated important. The latter is known to have been exploited in the wild to elevate privileges to SYSTEM level.

The critical vulnerabilities are elevation of privilege vulnerabilities in Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968), Active Directory Certificate Services (CVE-202237976), and Windows Hyper-V (CVE-2022-37979); a Windows CryptoAPI spoofing vulnerability (CVE-2022-34689); and remote code execution vulnerabilities in Microsoft Office (CVE-2022-38048), Microsoft SharePoint Server (CVE-2022-41038), and the Windows Point-to-Point Tunneling Protocol (CVE-2022-33634, CVE-2022-22035, CVE-2022-24504, CVE-2022-38047, CVE-2022-41081, CVE-2022-30198, and CVE-2022-38000).

As always, patches should be applied as soon as possible to prevent exploitation, with priority given to the critical and actively exploited flaws.

Adobe Patches 29 Vulnerabilities

October 2022 Patch Tuesday has seen Adobe release patches to fix 30 vulnerabilities across 4 of its products: ColdFusion, Acrobat Reader, Adobe Commerce, and Adobe Dimension. The vulnerabilities affect its Windows and macOS versions and include code execution, privilege escalation, security feature bypass, and file system write vulnerabilities.

ColdFusion received patches to fix 13 vulnerabilities: 7 critical, 6 important, and one moderate flaw, including four arbitrary code execution vulnerabilities that have a CVSS v3 severity score of 9.8 out of 10.

Adobe Dimension received patches to fix 9 vulnerabilities: 8 critical, and 1 moderate flaw. 6 vulnerabilities have been fixed that affect Adobe Reader – 2 critical, and 4 important – and one flaw has been fixed in Adobe Commerce –  A cross-site scripting vulnerability with a maximum CVSS severity score of 10 which can lead to arbitrary code execution.

Despite the high severity scores for some of the vulnerabilities, all have been given a priority rating of 3, as these are products that are not typically a target for hackers; however, prompt patching is still strongly recommended.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news