Microsoft has released 79 total patches as part of its monthly Patch Tuesday update, addressing three critical-rated vulnerabilities and one actively exploited zero-day.
The update delivers markedly fewer updates compared to last month’s which saw 141 flaws fixed, including 17 critical-rated vulnerabilities - the second round of updates of the year.
The updates consisted of 64 CVEs affecting Microsoft products and an additional 15 tracked issues impacting the Chromium-based Microsoft Edge browser.
Of the three critical-rated vulnerabilities - those with a severity score of 9.0 or higher on the CVSS v3 scale - the standout flaw impacted systems running the IPsec protocol which encrypts all internet protocol packets in a communication session.
The remote code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could allow an unauthenticated attacker to send a specially crafted IPv6 packet to an IPsec-enabled Windows node to achieve code execution.
There is no indication that it has been exploited in the wild but with the attack complexity being thought of as ‘low’ and there being no need for any authentication at all, it is considered one of the most serious issues for IT admins to address urgently.
Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) said: “This critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.
“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPsec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Both of the remaining two critical-rated vulnerabilities, both rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impact the Windows Internet Key exchange (IKE) and can facilitate RCE.
Similar to the “exploitation more likely” CVE-2022-34718, the two other serious flaws can be carried out remotely and require no privileges in order to exploit.
“The IKE protocol is a component of IPsec used to set up security associations - relationships among devices based on shared security attributes,” said Tenable’s Security Response Team in a blog.
“These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks.”
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
The single actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File System driver and could be used by an attacker to elevate their privileges to SYSTEM level.
It received a lower-severity score of 7.8/10 on the CVSS v3 scale due to the attacker already needing to have local access to the target’s machine.
This level of code-execution access could be gained either by having their hands on the device’s keyboard (physical access) or remotely through techniques such as exploitation of another vulnerability or having remote access via remote desktop protocol (RDP), for example.
“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said the ZDI. “Once they do, additional code executes with elevated privileges to take over a system.
“Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”
The full list of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be found on its dashboard.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
