Microsoft's October Security Patch Missing Zero-Day Exchange Fix -- Redmondmag.com

Microsoft's October Security Patch Missing Zero-Day Exchange Fix

By Chris Paoli
10/11/2022

This month's Microsoft monthly security update, which comes packed with 85 flaw fixes, is notable for what's not included – a fix for last month's publicly disclosed Exchange vulnerabilities, known as "NotProxyShell."

In a blog post highlighting Exchange Server flaw fixes that are included, Microsoft acknowledged that the fixes for the two security bulletins that are being actively exploited did not make it in time for this month's security update. "We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready," wrote Microsoft in the post.

In the meantime, Microsoft recommends Exchange Server users implement its mitigation advice, which includes blocking specific attack patterns associated with the vulnerability, and reiterates that no further actions for Exchange Online users are needed.

Further, Microsoft's August security update brought support for the Windows Extended Protection (EP) feature in Exchange Server, "which can help you protect your environments from authentication relay or "man in the middle" (MitM) attacks," wrote Microsoft.

As for what is included with this month's security patch update, October's big-ticket items include a fix (CVE-2022-41033) for the Windows COM+ Event System Service. While only rated "important" due to the complexity needed in attacks, Microsoft has already seen attackers exploiting the flaw, so getting this elevation of privilege hole patched as soon as possible is recommended. This fix affects all supported versions of Windows OS and Windows Server.

Security expert Dustin Childs said that since this flaw typically comes packed with other code execution exploits, it's important to stress the importance of best practices with end users, and why timely patching is important. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website," wrote Childs in his Zero Day Initiative blog. "Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month.' people tend to click everything, so test and deploy this fix quickly."

That's not the only active exploit being addressed by Microsoft this month. CVE-2022-41043, which aims to fix an information disclosure vulnerability in Microsoft Office 2019 for Mac, has been publicly disclosed. However, unlike the previous item, security experts have yet to spot any attacks taking advantage of the hole.

October 'Critical' Bulletins
Once the solo zero-day flaw is addressed, IT should start focusing on this month's higher-than-normal 15 "critical" flaw fixes. Interestingly, seven of those have to do with Microsoft's Point-to-Point Tunneling Protocol (PPTP). Childs recommends that users of PPTP start looking at newer and safer alternative protocols -- as time goes on, attacks leveraging PPTP will continue to grow. Here's the full list of this month's critical items:

CVE-92022-37976: Active Directory Certificate Services elevation of privilege vulnerability.
CVE-2022-37968: Azure Arc-enabled Kubernetes cluster Connect elevation of privilege vulnerability.
CVE-2022-38049: Microsoft Office Graphics remote code execution vulnerability.
CVE-2022-38048: Microsoft Office remote code execution vulnerability.
CVE-2022-41038: Microsoft SharePoint Server remote code execution vulnerability.
CVE-2022-34689: Windows CryptoAPI spoofing vulnerability.
CVE-2022-41031: Microsoft Word remote code execution vulnerability.
CVE-2022-37979: Windows Hyper-V elevation of privilege vulnerability.
CVE-2022-30198: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-24504: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-33634: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-22035: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-38047: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-38000: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
CVE-2022-41081: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.

Click here for a full list of this month's security bulletin items.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.