Microsoft September 2022 Patch Tuesday fixed actively exploited zero-day

Microsoft released September 2022 Patch Tuesday security updates to address 64 flaws, including an actively exploited Windows zero-day.

Microsoft September 2022 Patch Tuesday security updates address 64 vulnerabilities, including an actively exploited Windows zero-day. The flaws fixed by the IT giant impact Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel (really). This is in addition to the 15 CVEs patched in Microsoft Edge (Chromium-based).

Of the 64 vulnerabilities addressed by Microsoft, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. This month’s Microsoft addressed two publicly disclosed zero-day vulnerabilities, only one of them was actively exploited in the wild at the time of release.

The issues include remote code execution, elevation of privilege, security feature bypass, information disclosure, denial of service, and Chromium Vulnerabilities.

The actively exploited zero-day vulnerability is tracked as CVE-2022-37969, is a Windows Common Log File System Driver Elevation of Privilege Vulnerability.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads Microsoft’s advisory. “An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.”

Microsoft credited Quan Jin with DBAPPSecurity, Genwei Jiang with Mandiant, FLARE OTF, CrowdStrike, and Zscaler ThreatLabz for reporting this flaw.

The company did not share details about the attacks exploiting this vulnerability.

The other publicly disclosed vulnerability, tracked as CVE-2022-23960, is an Arm Cache Speculation Restriction issue.

The full list of CVEs released by Microsoft for September 2022 Patch Tuesday security updates is available here, the most severe ones are:

CVE-2022-34700	Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability	Critical	8.8	No	No	RCE
CVE-2022-35805	Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability	Critical	8.8	No	No	RCE
CVE-2022-34721	Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability	Critical	9.8	No	No	RCE
CVE-2022-34722	Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability	Critical	9.8	No	No	RCE
CVE-2022-34718	Windows TCP/IP Remote Code Execution Vulnerability	Critical	9.8	No	No	RCE

Below is the complete list of resolved vulnerabilities and released advisories in the September 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

[adrotate banner=”5″]

[adrotate banner=”13″]