Microsoft's October Security Patch Missing Zero-Day Exchange Fix
This month's Microsoft monthly security update, which comes packed with 85 flaw fixes, is notable for what's not included – a fix for last month's publicly disclosed Exchange vulnerabilities, known as "NotProxyShell."
In a blog post highlighting Exchange Server flaw fixes that are included, Microsoft acknowledged that the fixes for the two security bulletins that are being actively exploited did not make it in time for this month's security update. "We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready," wrote Microsoft in the post.
In the meantime, Microsoft recommends Exchange Server users implement its mitigation advice, which includes blocking specific attack patterns associated with the vulnerability, and reiterates that no further actions for Exchange Online users are needed.
Further, Microsoft's August security update brought support for the Windows Extended Protection (EP) feature in Exchange Server, "which can help you protect your environments from authentication relay or "man in the middle" (MitM) attacks," wrote Microsoft.
As for what is included with this month's security patch update, October's big-ticket items include a fix (CVE-2022-41033) for the Windows COM+ Event System Service. While only rated "important" due to the complexity needed in attacks, Microsoft has already seen attackers exploiting the flaw, so getting this elevation of privilege hole patched as soon as possible is recommended. This fix affects all supported versions of Windows OS and Windows Server.
Security expert Dustin Childs said that since this flaw typically comes packed with other code execution exploits, it's important to stress the importance of best practices with end users, and why timely patching is important. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website," wrote Childs in his Zero Day Initiative blog. "Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month.' people tend to click everything, so test and deploy this fix quickly."
That's not the only active exploit being addressed by Microsoft this month. CVE-2022-41043, which aims to fix an information disclosure vulnerability in Microsoft Office 2019 for Mac, has been publicly disclosed. However, unlike the previous item, security experts have yet to spot any attacks taking advantage of the hole.
October 'Critical' Bulletins
Once the solo zero-day flaw is addressed, IT should start focusing on this month's higher-than-normal 15 "critical" flaw fixes. Interestingly, seven of those have to do with Microsoft's Point-to-Point Tunneling Protocol (PPTP). Childs recommends that users of PPTP start looking at newer and safer alternative protocols -- as time goes on, attacks leveraging PPTP will continue to grow. Here's the full list of this month's critical items:
- CVE-92022-37976: Active Directory Certificate Services elevation of privilege vulnerability.
- CVE-2022-37968: Azure Arc-enabled Kubernetes cluster Connect elevation of privilege vulnerability.
- CVE-2022-38049: Microsoft Office Graphics remote code execution vulnerability.
- CVE-2022-38048: Microsoft Office remote code execution vulnerability.
- CVE-2022-41038: Microsoft SharePoint Server remote code execution vulnerability.
- CVE-2022-34689: Windows CryptoAPI spoofing vulnerability.
- CVE-2022-41031: Microsoft Word remote code execution vulnerability.
- CVE-2022-37979: Windows Hyper-V elevation of privilege vulnerability.
- CVE-2022-30198: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-24504: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-33634: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-22035: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-38047: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-38000: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
- CVE-2022-41081: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability.
Click here for a full list of this month's security bulletin items.