Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

As many as 121 new security flaws^[1]
were patched by Microsoft as part of its Patch Tuesday updates for
the month of August, which also includes a fix for a Support
Diagnostic Tool vulnerability that the company said is being
actively exploited in the wild.

Of the 121 bugs, 17 are rated Critical, 102 are rated Important,
one is rated Moderate, and one is rated Low in severity. Two of the
issues have been listed as publicly known at the time of the
release.

It’s worth noting that the 121 security flaws are in addition to
25 shortcomings^[2]
the tech giant addressed in its Chromium-based Edge browser late
last month and the previous week.

Topping the list of patches is CVE-2022-34713^[3]
(CVSS score: 7.8), a case of remote code execution affecting the
Microsoft Windows Support Diagnostic Tool (MSDT), making it the
second flaw in the same component after Follina^[4]
(CVE-2022-30190) to be weaponized in real-world attacks^[5]
within three months.

The vulnerability is also said to be a variant of the flaw
publicly known as DogWalk^[6], which was originally
disclosed by security researcher Imre Rad in January 2020.

“Exploitation of the vulnerability requires that a user open a
specially crafted file,” Microsoft said in an advisory. “In an
email attack scenario, an attacker could exploit the vulnerability
by sending the specially crafted file to the user and convincing
the user to open the file.”

Alternatively, an attacker could host a website or leverage an
already compromised site that contains a malware-laced file
designed to exploit the vulnerability, and then trick potential
targets into clicking on a link in an email or an instant message
to open the document.

“This is not an uncommon vector and malicious documents and
links are still used by attackers to great effect,” Kev Breen,
director of cyber threat research at Immersive Labs, said. “It
underscores the need for upskilling employees to be wary of such
attacks.”

CVE-2022-34713 is one of the two remote code execution flaws in
MSDT closed by Redmond this month, the other being CVE-2022-35743^[7]
(CVSS score: 7.8). Security researchers Bill Demirkapi and Matt
Graeber have been credited with reporting the vulnerability.

Microsoft also resolved three privilege escalation flaws in
Exchange Server that could be abused to read targeted email
messages and download attachments (CVE-2022-21980^[8], CVE-2022-24477^[9], and CVE-2022-24516^[10]) and one publicly-known
information disclosure vulnerability (CVE-2022-30134^[11]) in Exchange which
could as well lead to the same impact.

“Administrators should enable Extended Protection^[12] in order to fully
remediate this vulnerability,” Greg Wiseman, product manager at
Rapid7, commented about CVE-2022-30134.

The security update further remediates multiple remote code
execution flaws in Windows Point-to-Point Protocol (PPP), Windows
Secure Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio,
Microsoft Office, and Windows Hyper-V.

The Patch Tuesday fix is also notable for addressing dozens of
privilege escalation flaws: 31 in Azure Site Recovery, a month
after Microsoft squashed 30 similar bugs^[13] in the business
continuity service, five in Storage Spaces Direct, three in Windows
Kernel, and two in the Print Spooler module.

Software Patches from Other Vendors

Aside from Microsoft, security updates have also been released
by other vendors since the start of the month to rectify several
vulnerabilities, including —