Microsoft has released 79 total patches as part of its monthly Patch Tuesday update, addressing three critical-rated vulnerabilities and one actively exploited zero-day.
The update delivers markedly fewer updates compared to last month’s which saw 141 flaws fixed, including 17 critical-rated vulnerabilities - the second round of updates of the year.
The updates consisted of 64 CVEs affecting Microsoft products and an additional 15 tracked issues impacting the Chromium-based Microsoft Edge browser.
Of the three critical-rated vulnerabilities - those with a severity score of 9.0 or higher on the CVSS v3 scale - the standout flaw impacted systems running the IPsec protocol which encrypts all internet protocol packets in a communication session.
The remote code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could allow an unauthenticated attacker to send a specially crafted IPv6 packet to an IPsec-enabled Windows node to achieve code execution.
There is no indication that it has been exploited in the wild but with the attack complexity being thought of as ‘low’ and there being no need for any authentication at all, it is considered one of the most serious issues for IT admins to address urgently.
Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) said: “This critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.
“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPsec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Both of the remaining two critical-rated vulnerabilities, both rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impact the Windows Internet Key exchange (IKE) and can facilitate RCE.
Similar to the “exploitation more likely” CVE-2022-34718, the two other serious flaws can be carried out remotely and require no privileges in order to exploit.
“The IKE protocol is a component of IPsec used to set up security associations - relationships among devices based on shared security attributes,” said Tenable’s Security Response Team in a blog.
“These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks.”
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
The single actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File System driver and could be used by an attacker to elevate their privileges to SYSTEM level.
It received a lower-severity score of 7.8/10 on the CVSS v3 scale due to the attacker already needing to have local access to the target’s machine.
This level of code-execution access could be gained either by having their hands on the device’s keyboard (physical access) or remotely through techniques such as exploitation of another vulnerability or having remote access via remote desktop protocol (RDP), for example.
“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said the ZDI. “Once they do, additional code executes with elevated privileges to take over a system.
“Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”
The full list of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be found on its dashboard.
-
US telco confirms state-backed hackers laid low in network for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Enterprises risk losing top talent with botched digital transformation projectsNews Digital transformation “fatigue” is becoming a real problem as enterprises look to modernize at rapid pace
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
