August Patch Tuesday: Microsoft Plugs 121 Flaws
After a lighter-than-usual past few months, Microsoft is back in the triple digits for its monthly security update, with 121 common vulnerabilities and exposures (CVE) fixes.
Along with the large number of flaw fixes, the 17 critical items and one zero-day vulnerability patch highlight this month's update.
IT should work quickly to apply CVE-2022-34713, as it is in active exploitation and publicly disclosed. This fix, addresses a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). Current exploits using this hole would need a victim to open a malicious file (through a phishing attempt or a compromised website).
This zero-day flaw share a lot of similarities with a June fix for the "follina" vulnerability, which also resided in the MSDT. While Microsoft has not confirmed that this month's fix is an update on the June patch, the company said that this specific flaw has been publicly known for months.
"In May, Microsoft released a blog giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter," said Microsoft. "Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is addresses the vulnerability publicly known as Dogwalk."
Next on the priority list is a critical fix for a Windows Network File System (NFS) remote code execution vulnerability (CVE-2022-34715). If this one sounds familiar, it's because it is, according to Zero Day Initiative's Dustin Childs. "This is now the fourth month in a row with an NFS code execution patch, and this CVSS 9.8 bug could be the most severe of the lot," wrote Childs in his monthly patch blog.
While Microsoft only rates this flaw as "important," Childs argues that it is critical for anyone using NFS, as a successful attack would grant code execution privileges to the attacker.
Those running local Exchange Servers will be busy this month with three critical fixes all addressing elevation of privilege flaws in Microsoft's product. CVE-2022-24516, CVE-2022-21980 and CVE-2022-24477 all work similarly and, if exploited, a criminal could remotely gain access to an organization's entire email storage. Depending on how valuable the information, it can then be easily turned around into an extortion ploy.
Also of note to Exchange Server users is CVE-2022-30134, which addresses yet another elevation of privilege issue. However, unlike the previously mentioned three, this one is only rated important, due to the complexity of getting working code up and running to exploit it. That doesn't mean IT should sleep on this one – flaw information has been publicly disclosed and it's only a matter of time until attackers have figured out working exploits for this hole.
Here's a quick rundown of the remaining critical items for the month:
- CVE-2022-30133 - Remote code execution fix in the Windows Point-to-Point Protocol (PPP).
- CVE-2022-35744 - Remote code execution fix in the Windows PPP.
- CVE-2022-34691 - Elevation of privilege fix for Active Directory Domain Services.
- CVE-2022-33646 - Elevation of privilege fix for Azure Batch Node Agent.
- CVE-2022-35752 - Remote code execution fix in the Windows Secure Socket Tunneling Protocol (SSTP).
- CVE-2022-35753 - Remote code execution fix in the Windows SSTP.
- CVE-2022-35804 - Remote code execution fix in the SMB Client and Server.
- CVE-2022-34696 - Remote code execution fix in Windows Hyper-V.
- CVE-2022-34702 - Remote code execution fix in the Windows SSTP.
- CVE-2022-34714 - Remote code execution fix in the Windows SSTP.
- CVE-2022-35745 - Remote code execution fix in the Windows SSTP.
- CVE-2022-35766 - Remote code execution fix in the Windows SSTP.
- CVE-2022-35767 - Remote code execution fix in the Windows SSTP.
- CVE-2022-35794 - Remote code execution fix in the Windows SSTP.
Microsoft's full list of security updates can be found here.