Microsoft September Patch Bundle Addresses 64 Vulnerabilities
Microsoft has released its September bundle of security patches, addressing about 64 common vulnerabilities and exposures (CVEs).
Of that number, five CVEs are deemed "Critical," with 57 considered to be "Important" and one rated as "Moderate." Two of the vulnerabilities were publicly known about before Microsoft's Tuesday disclosure. One of these publicly known vulnerabilities was also described as "exploited."
A list of affected software, FAQs, mitigations and known issues can be found in Microsoft "Release Notes" to its sprawling September "Security Update Guide." This guide typically just contains boilerplate descriptions. It lacks the patch tally described above. Fortunately, security researchers outside Microsoft fill in some of those missing details each month.
The 64 vulnerabilities getting patches in this month's patch bundle could get raised to 79 CVEs if Chromium-based browser patches, released earlier, and a speculative side-channel fix for Arm processors running Windows 11 (CVE-2022-23960) were to be added to the total, according to Dustin Childs of Trend Micro's Zero Day Initiative. One of the Chromium vulnerabilities (CVE-2022-3075) was described as having been "exploited." It represents "the sixth Chrome exploit detected in the wild this year," Childs noted.
Childs provided an overall assessment of Microsoft patches, plus patches released by Adobe and Apple, in this Tuesday Zero Day Initiative blog post.
Microsoft's September bundle has about half the number of CVEs as last month's release, Childs noted.
CVE-2022-37969 is the publicly exploited vulnerability that's associated with the "Windows Common Log File System Driver." If it's successfully exploited, the vulnerability can enable an attacker to gain system privileges. Microsoft deemed it "Low" in severity because "an attacker must already have access and the ability to run code on the target system," per the security bulletin.
"The vulnerability [CVE-2022-37969] is rated as Important, but with multiple vendors acknowledged for the coordinated disclosure and confirmed exploits in the wild this vulnerability should be treated as a Critical severity due to the risk," noted Chris Goettl, Ivanti's senior director of product management, via e-mail.
Childs noted that vulnerabilities like CVE-2022-37969 are typically used as part of a targeted attack chain. However, "Microsoft credits four different agencies reporting this bug, so it's likely beyond just targeted attacks."
CVE-2022-37969's low complexity makes it a concern, according to Mike Walters, the cybersecurity executive and cofounder of Action1.
"No other technical details [about CVE-2022-37969] are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Walters said, via e-mail.
Five Critical Vulnerabilities
The five critical vulnerabilities all can enable remote code execution. They affect newer Windows client and server products, noted Automox in its September "Patch Tuesday" commentary.
Two of the critical vulnerabilities affect Microsoft Dynamics 365 (CVE-2022-34700 and CVE-2022-35805). Two others are associated with the Windows Internet Key Exchange Protocol Extensions (CVE-2022-34721 and CVE-2022-34722). One critical vulnerability is associated with Windows and TCP/IP (CVE-2022-34718).
A sixth critical vulnerability (CVE-2022-3038) is a Microsoft Edge browser use-after-free bug that was addressed in earlier released Chromium patches.
Security researchers called out CVE-2022-34718, associated with Windows and TCP/IP, as being an interesting Critical vulnerability. It was called "the most serious vulnerability" by Cisco Talos security researchers, in a blog post. It has a high Common Vulnerability Scoring System (CVSS) rating of 9.8 (out of 10), but it only affects organizations using IPv6 with IPSec. Childs noted that its high CVSS rating puts this one into the "'wormable' category."
Walters described CVE-2022-34718 as entailing "a network attack with low complexity, but it affects only systems that are running the IPsec service, so if a system doesn't need the IPsec service, disable it as soon as possible."
The two Windows Internet Key Exchange (IKE) Protocol Extensions vulnerabilities (CVE-2022-34721 and CVE-2022-34722) also have 9.8 CVSS scores and are associated with virtual private network (VPN) use by organizations, according to Automox, which advised 72-hour patching:
Both vulnerabilities are found in every major build of Windows from Windows 7 forward. IKE is a standard protocol used to set up secure and authenticated communications channels between two parties via a VPN. An attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation.
Walters noted that the CVE-2022-34721 and CVE-2022-34722 vulnerabilities "both have low complexity for exploitation," and all Windows Server products are affected:
This vulnerability impacts only IKEv1 and not IKEv2; however, all Windows Servers are affected because they accept both V1 and V2 packets. There is no exploit or PoC [proof of concept] detected in the wild yet; however, installing the fix is highly advisable.
Notable Patch Tuesday Comments
Security researchers outside of Microsoft seemed guardedly optimistic that September's patch load had weighed in less than last month's burden. However, Microsoft's patch count does tend to dip in "the last quarter of the year," Childs noted.
The 57 Important patches shouldn't be neglected. Four of them affect SharePoint with possible remote code execution exploit considerations, noted Greg Wiseman, product manager at Rapid7.
"SharePoint administrators should also be aware of four separate RCEs being addressed this month," Wiseman wrote via e-mail. "They're considered Important, meaning Microsoft recommends applying the updates at the earliest opportunity."
Childs noted that "more than half of this month's release involves some form of remote code execution" and that "of these, the patches for SharePoint stand out." At least one of the SharePoint vulnerabilities was used in a nation-state attack, Childs indicated.
"Microsoft recently detailed how a SharePoint bug was used by Iranian threat actors against the Albanian government, resulting in Albania breaking off diplomatic relations with Iran," Childs explained. "Those attacks involved a SharePoint bug we had previously blogged about."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.