Microsoft released fixes for a Windows zero-day and a publicly disclosed vulnerability on October Patch Tuesday but security updates for two Exchange Server zero-days discovered last month are still in limbo.
Microsoft addressed 89 unique CVEs this month, with five of the security updates released from August to address issues affecting Exchange Server functionality. Thirteen of the October Patch Tuesday security updates were rated critical.
Windows zero-day tops the patching priority list
The Windows zero-day is a Windows COM+ Event System Service elevation-of-privilege vulnerability (CVE-2022-41033) rated important. This bug does not require user interaction, and a successful exploit of the vulnerability could give the attacker system privileges.
This zero-day affects every supported Windows OS, including Windows 7 and Windows Server 2008/R2 in the Extended Security Updates program, which should provide extra incentive for administrators to promptly deploy the October Patch Tuesday fixes.
“It's only rated important, but because it's been exploited in the wild, there's a higher risk associated. People should be prioritizing this more urgently,” said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company.
Outlook for Mac public disclosure resolved.
The public disclosure is a Microsoft Office information disclosure vulnerability (CVE-2022-41043) rated important for two products running on macOS: Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. This bug specifically targets Outlook for Mac, and Microsoft stipulated the preview pane was not an attack vector for the vulnerability. An attacker could retrieve user tokens or other sensitive information by successfully exploiting this flaw. The Common Vulnerability Scoring System (CVSS) rating is relatively low at 3.3, indicating minimal danger.
“While it was publicly disclosed, the code maturity is still listed as unproven, so there are no real samples of exploit code available,” Goettl said. “While the public disclosure points to a problem, a threat actor will not have a workable sample to start building off of right away.”
Exchange Server zero-days remain unpatched.
Besides its mitigation instructions for two Exchange Server zero-days, Microsoft had no further relief for administrators who had to act quickly after a Sept. 29 blog by the Microsoft Security Response Center indicated the on-premises email platform was under attack.
The company disclosed an Exchange Server elevation-of-privilege vulnerability (CVE-2022-41040) and an Exchange Server remote code execution vulnerability (CVE-2022-41082) — security researcher Kevin Beaumont dubbed the pair of CVEs as ProxyNotShell — and issued guidance to protect Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. Microsoft indicated an attacker would need to authenticate to exploit Exchange zero-day.
On October Patch Tuesday, Microsoft distributed its October Exchange Server security updates but indicated the two zero-day flaws were addressed in the release. The company said the zero-day patches would be released when they were ready.
Microsoft released a URL Rewrite rule mitigation for CVE-2022-41040 and advised customers to disable remote PowerShell for any user who was not an administrator to stop attacks based on the CVE-2022-41082 vulnerability.
Microsoft issued several URL Rewrite rule mitigation updates to stop specific patterns. Customers who enabled the Exchange Emergency Mitigation Service (EEMS) — available after installing the September 2021 cumulative update (CU) or later on Exchange Server 2016 or Exchange Server 2019 — or used a Microsoft utility called the Exchange On-premises Mitigation Tool v2 at this link got these defensive changes automatically. Without these measures, administrators would need to manually update the IIS Manager on Exchange Server.
Also related to Exchange Server, Microsoft reissued five CVEs from August Patch Tuesday (CVE-2022-21979, CVE-2022-21980, CVE-2022-24516, CVE-2022-24477 and CVE-2022-30134) to correct problems with Outlook probes. According to the company, the issues stem from the Windows Extended Protection feature introduced with the August Exchange Server security updates. Due to the effort involved with Exchange patching and the risk of accidental email downtime, some customers might want to hold off installing the October Exchange security updates.
“Unless the Outlook probe functionality is critical for you for some reason, then it's probably best to wait for the zero-day fixes to come, which I suspect will be released out-of-band rather than in another month,” Goettl said.
Other security updates of note for October Patch Tuesday
An elevation-of-privilege vulnerability (CVE-2022-37968) rated critical in the cluster connect feature of Azure Arc-enabled Kubernetes clusters has the highest possible CVSS rating of 10. An attacker who finds the randomly generated external DNS endpoint for the cluster and successfully exploits this flaw could get administrative control over the Kubernetes cluster. Customers will want to either follow the mitigation guidance for manual updates or use the automatic upgrade option to receive the fix.
Two elevation-of-privilege vulnerabilities affecting Active Directory will warrant prompt administrative attention. CVE-2022-37976 is a critical bug in the Active Directory Certificate Services with a CVSS rating of 8.8, and CVE-2022-38042 is a flaw rated important in Active Directory Domain Services. Microsoft indicated a successful exploit of either vulnerability could give the attacker domain administrator privileges.
Bob Thompson is our inhouse Home and Garden, Energy and Gaming news writer. Bob is keenly aware of the need to recycle. Bob has written for many online publications over the course of his writing career, before joining our team.