Microsoft Patch Tuesday for October 2022 doesn’t fix Exchange Server flaws

Pierluigi Paganini October 12, 2022

Microsoft Patch Tuesday security updates for October 2022 addressed a total of 85 security vulnerabilities, including an actively exploited zero-day.

Microsoft Patch Tuesday security updates for October 2022 addressed 85 new vulnerabilities in multiple products, including Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

15 out of 85 bugs are rated Critical, 69 are rated Important, and one is rated Moderate in severity.

It is interesting to note that the security patches don’t address the Exchange Server issues, despite two MS Exchange flaws being actively exploited in the wild.

These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time.

Microsoft Patch Tuesday Exchange server

“With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information.” reported ZDI. “Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.”

Microsoft also addressed 11 issues in Microsoft Edge (Chromium-based) and one flaw for side-channel speculation in Arm processors. Six of these CVEs were submitted through the ZDI program.

One of the most interesting issues addressed by Microsoft this month is a privilege escalation issue, tracked as CVE-2022-41033, in Windows COM+ Event System Service.
This flaw is being actively exploited in attacks in the wild, likely chained with other issues to achieve code execution over a system.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory published by Microsoft.

Microsoft Patch Tuesday also addressed a critical Office Remote Code Execution vulnerability tracked as CVE-2022-38048.

The IT giant also addressed a Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, tracked as CVE-2022-37987/CVE-2022-37989, and an Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability, tracked as CVE-2022-37968 (CVSS score: 10.0).

The full list of CVEs released by Microsoft for October 2022 is available here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday for October 2022)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment