Tech giant Microsoft sent out fixes for cancellation on Tuesday 64 new security flaws in its software lineup, which includes a zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five have been rated as severe, 57 as critical, one as moderate and one as low severity. in addition to the patch 16 Weaknesses Which Microsoft addressed earlier this month in its Chromium-based Edge browser.
Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News, “In terms of the CVEs released, this Patch Tuesday may appear to be on the lighter side compared to other months.” “
“While this month hit a major milestone for the calendar year, MSFT fixed the 1000th CVE of 2022 – likely to surpass 2021 which is an overall CVE of 1,200.”
There is an actively exploited vulnerability in question CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) driver, which can be leveraged by an adversary to gain system privileges on an already compromised asset.
Microsoft said in an advisory, “An attacker must already have access and the ability to run code on the target system. This technology does not allow remote code execution in cases where the attacker already has access to the code on the target system.” He doesn’t have that ability.”
The tech giant credits four different sets of researchers from CrowdStrike, DBAppSecurity, Mandient and Zsklar with reporting the flaw, which could be a sign of widespread exploitation in the wild, Rapid7 product manager Greg Wiseman said in a statement. Told.
CVE-2022-37969 is also the second actively used zero-day flaw in the CLFS component CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday update.
It is not immediately clear whether CVE-2022-37969 bypasses the patch for CVE-2022-24521. Other important demerits of the note are as follows –
- CVE-2022-34718 (CVSS Score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2022-34721 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extension Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extension Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) remote code execution vulnerability
- CVE-2022-35805 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) remote code execution vulnerability
Microsoft said of CVE-2022-34721 and CVE-2022-34722, “An unauthorized attacker can send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which Remote code execution may enable exploits.”
15 Remote Code Execution Errors Also Solved By Microsoft Microsoft ODBC DriverFive privilege escalation bugs spanning the Microsoft OLE DB provider for SQL Server, and Microsoft SharePoint Server and Windows Kerberos and the Windows kernel.
Even more notable is the September release for patching another upgrade of privilege vulnerability in the Print Spooler module (CVE-2022-38005CVSS score: 7.8) which can be misused to obtain system-level permissions.
Finally, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called branch history injection either ghost-bhb (CVE-2022-23960) that came out earlier this March.
“This class of vulnerabilities has become a major headache for mitigation organizations, as they often require updates to the operating system, firmware and in some cases, recompiling and hardening of applications,” Jogi said. “If an attacker successfully exploits this type of vulnerability, they can gain access to sensitive information.”
Software patches from other vendors
In addition to Microsoft, security updates have been released by other vendors since the beginning of the month to fix dozens of vulnerabilities, including –