Another Patch Tuesday is here, and Adobe and Microsoft have released their latest crop of new security updates and fixes. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for October 2022
For October, Adobe released four patches addressing 29 vulnerabilities in Adobe Acrobat and Reader, ColdFusion, Commerce and Magento, and Adobe Dimension. A total of 22 of these bugs were reported through the ZDI program. The fix for ColdFusion seems to be the most critical, with multiple CVSS 9.8 code execution bugs being addressed. There’s also a fix for a bug in the Admin Component service. The service uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Hard to imagine hard-coded credentials have existed in the product for so long without being discovered.
The Commerce and Magento update addresses only one bug, but it’s a CVSS 10. If you’re using either of these products, ensure you test and deploy this quickly to fix the stored cross-site scripting (XSS) bug. The patch for Acrobat and Reader fixes six bugs, with the most severe being stack-based buffer overflows that could lead to code execution. A threat actor would need to trick someone into opening a specially crafted PDF to get arbitrary code exec. The fix for Dimension corrects nine bugs, eight of which are rated critical. Most of these are file parsing bugs and would require user interaction to exploit.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for October 2022
This month, Microsoft released 85 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS). This is in addition to the 11 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 96. Six of these CVEs were submitted through the ZDI program.
What may be more interesting is what isn’t included in this month’s release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.
Of the 85 new patches released today, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. This volume is somewhat in line with what we’ve seen in previous October releases, but it does put Microsoft on track to exceed its 2021 total. If that happens, 2022 would the second busiest year for Microsoft CVEs. One of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
– CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability
This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.
– CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.
– CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.
– CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability
This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.
Here’s the full list of CVEs released by Microsoft for October 2022:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2022-41033
Windows COM+ Event System Service Elevation
of Privilege Vulnerability
Important
7.8
No
Yes
EoP
CVE-2022-41043
Microsoft Office Information Disclosure
Vulnerability
Important
4
Yes
No
Info
CVE-2022-37976
Active Directory Certificate Services
Elevation of Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2022-37968
Azure Arc-enabled Kubernetes cluster Connect
Elevation of Privilege Vulnerability
Critical
10
No
No
EoP
CVE-2022-38049
Microsoft Office Graphics Remote Code
Execution Vulnerability
Critical
7.8
No
No
RCE
CVE-2022-38048
Microsoft Office Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE
CVE-2022-41038
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE
CVE-2022-34689
Windows CryptoAPI Spoofing Vulnerability
Critical
7.5
No
No
Spoofing
CVE-2022-41031
Microsoft Word Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE
CVE-2022-37979
Windows Hyper-V Elevation of Privilege
Vulnerability
Critical
7.8
No
No
EoP
CVE-2022-30198
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-24504
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-33634
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-22035
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-38047
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-38000
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-41081
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-38042
Active Directory Domain Services Elevation
of Privilege Vulnerability
Important
7.1
No
No
EoP
CVE-2022-38021
Connected User Experiences and Telemetry
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-38036
Internet Key Exchange (IKE) Protocol Denial
of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2022-37977
Local Security Authority Subsystem Service
(LSASS) Denial of Service Vulnerability
Important
6.5
No
No
DoS
CVE-2022-37983
Microsoft DWM Core Library Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38040
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-38001
Microsoft Office Spoofing Vulnerability
Important
6.5
No
No
Spoofing
CVE-2022-41036
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-41037
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-38053
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-37982
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-38031
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2022-37971
Microsoft Windows Defender Elevation of
Privilege Vulnerability
Important
7.1
No
No
EoP
CVE-2022-41032
NuGet Client Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38045
Server Service Remote Protocol Elevation of
Privilege Vulnerability
Important
8.8
No
No
EoP
CVE-2022-35829
Service Fabric Explorer Spoofing
Vulnerability
Important
6.2
No
No
Spoofing
CVE-2022-38017
StorSimple 8000 Series Elevation of
Privilege Vulnerability
Important
6.8
No
No
EoP
CVE-2022-41083
Visual Studio Code Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41042
Visual Studio Code Information Disclosure
Vulnerability
Important
7.4
No
No
Info
CVE-2022-41034
Visual Studio Code Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-38046
Web Account Manager Information Disclosure
Vulnerability
Important
6.2
No
No
Info
CVE-2022-38050
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37978
Windows Active Directory Certificate
Services Security Feature Bypass
Important
7.5
No
No
SFB
CVE-2022-38029
Windows ALPC Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2022-38044
Windows CD-ROM File System Driver Remote
Code Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-37989
Windows Client Server Run-time Subsystem
(CSRSS) Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37987
Windows Client Server Run-time Subsystem
(CSRSS) Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37980
Windows DHCP Client Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38026
Windows DHCP Client Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-38025
Windows Distributed File System (DFS)
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-37970
Windows DWM Core Library Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37981
Windows Event Logging Service Denial of
Service Vulnerability
Important
4.3
No
No
DoS
CVE-2022-33635
Windows GDI+ Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-38051
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37997
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37985
Windows Graphics Component Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-37975
Windows Group Policy Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37999
Windows Group Policy Preference Client
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37993
Windows Group Policy Preference Client
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37994
Windows Group Policy Preference Client
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37995
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37988
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38037
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38038
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37990
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38039
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37991
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38022
Windows Kernel Elevation of Privilege
Vulnerability
Important
2.5
No
No
EoP
CVE-2022-37996
Windows Kernel Memory Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-38016
Windows Local Security Authority (LSA)
Elevation of Privilege Vulnerability
Important
8.8
No
No
EoP
CVE-2022-37998
Windows Local Session Manager (LSM) Denial
of Service Vulnerability
Important
7.7
No
No
DoS
CVE-2022-37973
Windows Local Session Manager (LSM) Denial
of Service Vulnerability
Important
7.7
No
No
DoS
CVE-2022-37974
Windows Mixed Reality Developer Tools
Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2022-35770
Windows NTLM Spoofing Vulnerability
Important
6.5
No
No
Spoofing
CVE-2022-37965
Windows Point-to-Point Tunneling Protocol
Denial of Service Vulnerability
Important
5.9
No
No
DoS
CVE-2022-38032
Windows Portable Device Enumerator Service
Security Feature Bypass Vulnerability
Important
5.9
No
No
SFB
CVE-2022-38028
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38003
Windows Resilient File System Elevation of
Privilege
Important
7.8
No
No
EoP
CVE-2022-38041
Windows Secure Channel Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2022-38043
Windows Security Support Provider Interface
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-38033
Windows Server Remotely Accessible Registry
Keys Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2022-38027
Windows Storage Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2022-33645
Windows TCP/IP Driver Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2022-38030
Windows USB Serial Driver Information
Disclosure Vulnerability
Important
4.3
No
No
Info
CVE-2022-37986
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-37984
Windows WLAN Service Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-38034
Windows Workstation Service Elevation of
Privilege Vulnerability
Important
4.3
No
No
EoP
CVE-2022-41035
Microsoft Edge (Chromium-based) Spoofing
Vulnerability
Moderate
8.3
No
No
Spoofing
CVE-2022-3304 *
Chromium: CVE-2022-3304 Use after free in
CSS
High
N/A
No
No
RCE
CVE-2022-3307 *
Chromium: CVE-2022-3307 Use after free in
Media
High
N/A
No
No
RCE
CVE-2022-3370 *
Chromium: CVE-2022-3370 Use after free in
Custom Elements
High
N/A
No
No
RCE
CVE-2022-3373 *
Chromium: CVE-2022-3373 Out of bounds write
in V8
High
N/A
No
No
RCE
CVE-2022-3308 *
Chromium: CVE-2022-3308 Insufficient policy
enforcement in Developer Tools
Medium
N/A
No
No
SFB
CVE-2022-3310 *
Chromium: CVE-2022-3310 Insufficient policy
enforcement in Custom Tabs
Medium
N/A
No
No
SFB
CVE-2022-3311 *
Chromium: CVE-2022-3311 Use after free in
Import
Medium
N/A
No
No
RCE
CVE-2022-3313 *
Chromium: CVE-2022-3313 Incorrect security
UI in Full Screen
Medium
N/A
No
No
SFB
CVE-2022-3315 *
Chromium: CVE-2022-3315 Type confusion in
Blink
Medium
N/A
No
No
RCE
CVE-2022-3316 *
Chromium: CVE-2022-3316 Insufficient
validation of untrusted input in Safe Browsing
Low
N/A
No
No
Spoofing
CVE-2022-3317 *
Chromium: CVE-2022-3317 Insufficient
validation of untrusted input in Intents
Low
N/A
No
No
Spoofing
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the rest of the Critical-rated patches, the update for Active Directory Certificate Services (ADCS) stands out the most as successful exploitations would provide the attacker domain administrative privileges. However, exploiting this would be tricky. A malicious DCOM client would need to trick a DCOM server to authenticate to it through ADCS and then use the credential to launch a cross-protocol attack. There are seven Critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP). If you’re still using this, consider migrating to a more modern (and secure) solution. There’s a fix for a guest-to-host escape in Hyper-V that could result in the attacker executing code on the root OS. In addition to the one mentioned above, there are two other Critical-rated bugs impacting Office components. Neither have a Preview Pane attacker vector, so it’s not clear why the Critical rating applies. Speaking of confusing, there’s a Critical fix for SharePoint that reads identical to the Important-rated SharePoint fixes. Microsoft offers no clarity on why this bug is different.
There are only nine other fixes for remote code execution vulnerabilities, including three for SharePoint that have the same description as the Critical-rated SharePoint bugs already mentioned. There are two patches for the WDAC OLE DB provider for SQL Server and one for the ODBC Driver itself. There’s a fix for an RCE in Visual Studio Code, but no details are provided on what the attack scenario would be. That’s not the case for the GDI+ bug. An attacker would need to convince a user to browse to a malicious website or open a specially crafted file to get code execution. Finally, former Pwn2Own winner Bien Pham from Team Orca of Sea Security reported a code execution bug in the CD-ROM driver through the ZDI program. It’s an integer overflow that could lead to an out-of-bound write on kernel heap memory. In this case, an attacker would need to convince someone to open a malicious .iso file, which does seem a bit unlikely.
A total of 39 bugs in this release are Elevation of Privilege (EoP) bugs, including those mentioned above. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the patch for the print spooler. While we’re certainly used to spooler updates by now, this one was reported by the National Security Agency (NSA). The EoP in the Workstation service requires privileges, but it can be reached remotely. An attacker could execute RPC functions that are normally restricted to the local client. You would also need to be authenticated to send malicious RPC calls to the DHCP service to escalate to SYSTEM. The bug in Active Directory Domain Services could allow an attacker to get domain administrator privileges, but Microsoft offers no details on how that would occur. The NuGet package manager for .NET receives a fix impacting multiple NuGet versions. The fix for Visual Studio Code contains an …uh… interesting workaround:
“Create a folder C:ProgramDatajupyterkernels and configure it to be writable only by the current user.”
It’s not clear why this prevents the attack, but Microsoft claims it will. Lastly, the EoP in the Local Security Authority (LSA) could lead to a sandbox escape.
The October release includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known. Most of the other info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There are a couple of notable exceptions. The bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud. The patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system. The final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.
There are two patches for Security Features Bypass (SFB) vulnerabilities this month, and the first requires physical access. On systems with outdated USB controller hardware, a Group Policy might have silently failed, which would leave the Windows Portable Device Enumerator Service open to attacks that rely on inserting a USB storage device. The SFB bug in Active Directory Certificate Services requires a Man-in-the-Middle (MiTM) and applies to Windows Challenge/Response (NTLM) authentication.
Eight different DoS vulnerabilities are patched this month. Probably the most interesting is the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction. Microsoft states systems with IPv6 disabled aren’t affected, but IPv6 comes enabled by default on most systems these days. Microsoft provides no further details about the seven other DoS patches.
The October release is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based). The most interesting is the Critical-rated fix for the Windows CryptoAPI. This bug could allow an attacker to spoof an existing public x.509 certificate to authenticate or sign code as the targeted certificate. I’m sure malware authors will definitely try to use this one in the near future. There’s also a store cross-site scripting (XSS) bug in the Service Fabric Explorer. If you’re using this, you need to ensure you are on the latest version by following these instructions. No additional details are provided about the spoofing bugs in Office or NTLM.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday falls on November 8, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Zero Day Initiative – Blog
