Home>Blog>The Hacker News Headlines>Microsoft’s Latest Security Update Fixes 64 New Flaws, Including a Zero-Day
The Hacker News Headlines

Microsoft’s Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

Windows Zero-Day

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws[1]
across its software lineup, including one zero-day flaw that has
been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important,
one is rated Moderate, and one is rated Low in severity. The
patches are in addition to 16 vulnerabilities[2]
that Microsoft addressed in its Chromium-based Edge browser earlier
this month.

“In terms of CVEs released, this Patch Tuesday may appear on the
lighter side in comparison to other months,” Bharat Jogi, director
of vulnerability and threat research at Qualys, said in a statement
shared with The Hacker News.

“However, this month hit a sizable milestone for the calendar
year, with MSFT having fixed the 1000th CVE of 2022 – likely on
track to surpass 2021 which patched 1,200 CVEs in total.”

CyberSecurity

The actively exploited vulnerability in question is CVE-2022-37969[3]
(CVSS score: 7.8), a privilege escalation flaw affecting the
Windows Common Log File System (CLFS[4]) Driver, which could be
leveraged by an adversary to gain SYSTEM privileges on an already
compromised asset.

“An attacker must already have access and the ability to run
code on the target system. This technique does not allow for remote
code execution in cases where the attacker does not already have
that ability on the target system,” Microsoft said in an
advisory.

The tech giant credited four different sets of researchers from
CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the
flaw, which may be an indication of widespread exploitation in the
wild, Greg Wiseman, product manager at Rapid7, said in a
statement.

CVE-2022-37969 is also the second actively exploited zero-day
flaw in the CLFS component after CVE-2022-24521[5]
(CVSS score: 7.8), the latter of which was resolved by Microsoft as
part of its April 2022 Patch Tuesday updates.

It’s not immediately clear if CVE-2022-37969 is a patch bypass
for CVE-2022-24521. Other critical flaws of note are as follows

  • CVE-2022-34718[6] (CVSS score: 9.8) –
    Windows TCP/IP Remote Code Execution Vulnerability
  • CVE-2022-34721[7] (CVSS score: 9.8) –
    Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code
    Execution Vulnerability
  • CVE-2022-34722[8] (CVSS score: 9.8) –
    Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code
    Execution Vulnerability
  • CVE-2022-34700[9] (CVSS score: 8.8) –
    Microsoft Dynamics 365 (on-premises) Remote Code Execution
    Vulnerability
  • CVE-2022-35805[10] (CVSS score: 8.8) –
    Microsoft Dynamics 365 (on-premises) Remote Code Execution
    Vulnerability

“An unauthenticated attacker could send a specially crafted IP
packet to a target machine that is running Windows and has IPSec
enabled, which could enable a remote code execution exploitation,”
Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in
Microsoft ODBC Driver[11], Microsoft OLE DB
Provider for SQL Server, and Microsoft SharePoint Server and five
privilege escalation bugs spanning Windows Kerberos and Windows
Kernel.

The September release is further notable for patching yet
another elevation of privilege vulnerability in the Print Spooler
module (CVE-2022-38005, CVSS score: 7.8) that could be abused to
obtain SYSTEM-level permissions.

CyberSecurity

Lastly, included in the raft of security updates is a fix
released by chipmaker Arm for a speculative execution vulnerability
called Branch History Injection[12] or Spectre-BHB[13] (CVE-2022-23960) that
came to light earlier this March.

“This class of vulnerabilities poses a large headache to the
organizations attempting mitigation, as they often require updates
to the operating systems, firmware and in some cases, a
recompilation of applications and hardening,” Jogi said. “If an
attacker successfully exploits this type of vulnerability, they
could gain access to sensitive information.”

Software Patches from Other Vendors

Aside from Microsoft, security updates have also been released
by other vendors since the start of the month to rectify dozens of
vulnerabilities, including —

References

  1. ^
    64 new
    security flaws     (msrc.microsoft.com)
  2. ^
    16
    vulnerabilities     (docs.microsoft.com)
  3. ^
    CVE-2022-37969
    (msrc.microsoft.com)
  4. ^
    CLFS
    (docs.microsoft.com)
  5. ^
    CVE-2022-24521
    (thehackernews.com)
  6. ^
    CVE-2022-34718
    (msrc.microsoft.com)
  7. ^
    CVE-2022-34721
    (msrc.microsoft.com)
  8. ^
    CVE-2022-34722
    (msrc.microsoft.com)
  9. ^
    CVE-2022-34700
    (msrc.microsoft.com)
  10. ^
    CVE-2022-35805
    (msrc.microsoft.com)
  11. ^
    Microsoft ODBC Driver
    (twitter.com)
  12. ^
    Branch
    History Injection     (thehackernews.com)
  13. ^
    Spectre-BHB
    (developer.arm.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.