On Tuesday, the tech giant Microsoft sent a fix for the cancellation 64 new security flaws included in the software lineup, including one zero-day flaw actively used in real-world attacks.
Out of 64 errors, five were rated as Critical, 57 as Significant, one as Moderate, and one as low. Patches are optional 16 weaknesses Microsoft filed for its Chromium-based Edge browser earlier this month.
“In terms of CVEs released, this Patch Tuesday may seem lighter than other months,” said Bharat Jogi, director of vulnerability and threat research at Qualys, in a statement shared with The Hacker News.
“However, this month reached a significant milestone for the calendar year, with MSFT setting the 1,000th CVE of 2022 – likely on track to surpass 2021, which set a total of 1,200 CVEs.”
The said vulnerability is actively exploited CVE-2022-37969 (CVSS score: 7.8), an elevation of privilege flaw affecting the Windows Common Log File System (CLFS) A driver that can be used by an adversary to gain SYSTEM privileges on an already compromised asset.
“An attacker must already have access and the ability to execute code on the target system. This technique does not allow remote code execution if the attacker no longer has that ability on the target system,” Microsoft said in an advisory.
Greg Wiseman, Rapid7’s product manager, said in a statement that the tech giant credited four different teams of researchers — CrowdStrike, DBAPPSecurity, Mandiant and Zscaler — for reporting the flaw, which may indicate widespread exploitation in the wild.
CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component. CVE-2022-24521 (CVSS score: 7.8), the latter of which was addressed by Microsoft as part of the April 2022 Patch Tuesday updates.
It is not immediately clear whether CVE-2022-37969 is a patch transition for CVE-2022-24521. Other critical flaws of the record are:
- CVE-2022-34718 (CVSS score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2022-34721 (CVSS Score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS Score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS Score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
- CVE-2022-35805 (CVSS Score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Microsoft said of CVE-2022-34721 and CVE-2022-34722: “An unauthenticated attacker could send a specially crafted IP packet to a target machine running Windows and enabling IPSec, which could allow a remote code execution exploit.”
Also, 15 remote code execution vulnerabilities are addressed by Microsoft Microsoft ODBC DriverFive privilege escalation bugs involving Microsoft OLE DB Provider and Windows Kerberos and Windows Kernel for SQL Server and Microsoft SharePoint Server.
In the September issue Print Spooler module (CVE-2022-38005CVSS score: 7.8) can be abused to gain SYSTEM-level permissions.
Finally, the lineup of security updates includes a fix released by chipmaker Arm for a speculative execution vulnerability. Branch History Injection or Spektr-BHB (CVE-2022-23960) surfaced earlier this March.
“This class of vulnerabilities is a major headache for organizations trying to mitigate because they often require operating systems, software updates, and in some cases, application redesign and hardening,” Jogi said. “If an attacker successfully exploits this type of vulnerability, they can gain access to sensitive data.”
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors to fix dozens of vulnerabilities since the beginning of the month, including –