IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday

Several issues in the monthly update require 'urgent' attention but September's Patch Tuesday only brings around half the fixes that came in August

Microsoft has released 79 total patches as part of its monthly Patch Tuesday update, addressing three critical-rated vulnerabilities and one actively exploited zero-day.

The update delivers markedly fewer updates compared to last month’s which saw 141 flaws fixed, including 17 critical-rated vulnerabilities - the second round of updates of the year.

The updates consisted of 64 CVEs affecting Microsoft products and an additional 15 tracked issues impacting the Chromium-based Microsoft Edge browser.

Of the three critical-rated vulnerabilities - those with a severity score of 9.0 or higher on the CVSS v3 scale - the standout flaw impacted systems running the IPsec protocol which encrypts all internet protocol packets in a communication session.

The remote code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could allow an unauthenticated attacker to send a specially crafted IPv6 packet to an IPsec-enabled Windows node to achieve code execution.

There is no indication that it has been exploited in the wild but with the attack complexity being thought of as ‘low’ and there being no need for any authentication at all, it is considered one of the most serious issues for IT admins to address urgently.

Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) said: “This critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. 

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPsec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

Both of the remaining two critical-rated vulnerabilities, both rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impact the Windows Internet Key exchange (IKE) and can facilitate RCE.

Similar to the “exploitation more likely” CVE-2022-34718, the two other serious flaws can be carried out remotely and require no privileges in order to exploit.

“The IKE protocol is a component of IPsec used to set up security associations - relationships among devices based on shared security attributes,” said Tenable’s Security Response Team in a blog

“These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks.”

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

The single actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File System driver and could be used by an attacker to elevate their privileges to SYSTEM level.

It received a lower-severity score of 7.8/10 on the CVSS v3 scale due to the attacker already needing to have local access to the target’s machine.

This level of code-execution access could be gained either by having their hands on the device’s keyboard (physical access) or remotely through techniques such as exploitation of another vulnerability or having remote access via remote desktop protocol (RDP), for example.

“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said the ZDI. “Once they do, additional code executes with elevated privileges to take over a system.

“Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”

The full list of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be found on its dashboard.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Microsoft bolsters cloud focus with new Cloud Partner Program
channel

Microsoft bolsters cloud focus with new Cloud Partner Program

6 Oct 2022
The IT Pro Podcast: Enabling bilingual business
collaboration

The IT Pro Podcast: Enabling bilingual business

30 Sep 2022
Podcast transcript: Enabling bilingual business
collaboration

Podcast transcript: Enabling bilingual business

30 Sep 2022
Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features
Microsoft Windows

Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features

21 Sep 2022

Most Popular

What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022