Microsoft, a major player in the technology industry, released patches on Tuesday to address 64 fresh security holes in its software, including one zero-day vulnerability that has already being actively used in attacks.
Of the 64 bugs, five are classified as Critical, 57 as Important, one as Moderate, and one as Low. The updates come on top of the 16 vulnerabilities that Microsoft patched earlier this month in its Edge browser, which is based on Chromium.
Bharat Jogi, director of vulnerability and threat research at Qualys, stated in a statement that was shared with The Hacker News that “this Patch Tuesday may look on the lesser side in terms of CVEs issued in contrast to past months.”
The 1000th CVE of 2022 was corrected by MSFT this month, marking a significant milestone for the year that is expected to surpass 2021, which patched a total of 1,200 CVEs.
An attacker might use the actively exploited vulnerability, CVE-2022-37969 (CVSS score: 7.8), a privilege escalation hole affecting the Windows Common Log File System (CLFS) Driver, to get SYSTEM rights on a system that has already been compromised.
“To execute code on the target system, an attacker must already have access to it. If the attacker does not already have access to the target system to execute code remotely, this approach does not let it “In a warning, Microsoft stated.
The vulnerability, which may be a sign of widespread exploitation in the wild, was reported by four independent groups of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler, according to Greg Wiseman, product manager at Rapid7.
After CVE-2022-24521 (CVSS score: 7.8), which Microsoft fixed as part of their April 2022 Patch Tuesday releases, CVE-2022-37969 is the second actively exploited zero-day vulnerability in the CLFS component.
If CVE-2022-37969 circumvents the patch for CVE-2022-24521 is not immediately apparent. The following are other serious problems to note:
Windows TCP/IP Remote Code Execution Vulnerability CVE-2022-34718 (CVSS score: 9.8)
CVE-2022-34721 (CVSS score: 9.8) Extensions for the Windows Internet Key Exchange (IKE) Protocol Vulnerability for Remote Code Execution
CVE-2022-34722 (CVSS score: 9.8) Extensions for the Windows Internet Key Exchange (IKE) Protocol Vulnerability for Remote Code Execution
CVE-2022-34700 (CVSS score: 8.8) Windows Dynamics 365 (on-premises) Vulnerability for Remote Code Execution
CVE-2022-35805 (CVSS score: 8.8) Windows Dynamics 365 (on-premises) Vulnerability for Remote Code Execution
With respect to CVE-2022-34721 and CVE-2022-34722, Microsoft stated that an unauthenticated attacker might deliver a specially crafted IP packet to a target computer running Windows and equipped with IPSec, which would allow for a remote code execution vulnerability.
15 remote code execution weaknesses in the Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server as well as five privilege escalation problems affecting Windows Kerberos and the Windows Kernel were also fixed by Microsoft.
The Print Spooler module’s latest elevation of privilege vulnerability, CVE-2022-38005, with a CVSS score of 7.8, was patched in the September release, making it noteworthy for its potential to be exploited to get SYSTEM-level rights.
Last but not least, a remedy for the Spectre-BHB (CVE-2022-23960) branch history injection vulnerability, which was discovered earlier this month, was included in the plethora of security updates.
“This type of vulnerabilities offers a significant challenge to the businesses trying to mitigate, since they frequently need upgrades to the operating systems, firmware, and in some cases, a recompilation of programmes and hardening,” Jogi added. “Sensitive information might be accessed if an attacker is successful in exploiting this kind of vulnerability.”