{"id":20329,"date":"2022-10-11T11:21:06","date_gmt":"2022-10-11T19:21:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/10\/11\/news-14062\/"},"modified":"2022-10-11T11:21:06","modified_gmt":"2022-10-11T19:21:06","slug":"news-14062","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/10\/11\/news-14062\/","title":{"rendered":"You can\u2019t always get what you want on Patch Tuesday"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Tue, 11 Oct 2022 17:47:47 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Microsoft on Tuesday released patches for 82 vulnerabilities in six Microsoft product families. This includes 14 Critical-class issues affecting Azure, Office, SharePoint, and Windows. Once again the majority of CVEs affect Windows; the operating system takes the lion\u2019s share of the CVEs with 67, followed by five for Office and four for SharePoint. Azure admins get some respite this month with just three patches for that platform (including one for Service Fabric), and Visual Studio and .NET together account for another three.<\/p>\n<p>One vulnerability (CVE-2022-41043), an information disclosure bug in Office, has been publicly disclosed. Another (CVE-2022-41033), an elevation of privilege flaw in the COM+ Event System Service, has been exploited. The remaining issues remain undisclosed and unexploited, according to Microsoft. Notable by their absence are the two high-profile Exchange Server vulnerabilities (CVE-2022-41040, CVE-2022-41082), both of which were <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/03\/two-exchange-server-vulns-veer-dangerously-close-to-proxyshell\/\">in the news<\/a> last week. Since the public disclosure of the two issues, Microsoft has issued several rounds of mitigations and guidance for what appears to be a close variant of the legendary <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/08\/23\/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do\/\">ProxyShell attack<\/a>.<\/p>\n<p><strong>By the Numbers<\/strong><\/p>\n<ul>\n<li>Total Microsoft CVEs: 82<\/li>\n<li>Total advisories shipping in update: 0<\/li>\n<li>Publicly disclosed: 1<\/li>\n<li>Exploitation detected: 1<\/li>\n<li>Exploitation more likely in latest version: 12<\/li>\n<li>Exploitation more likely in older versions: 13<\/li>\n<li>Severity\n<ul>\n<li>Critical: 14<\/li>\n<li>Important: 68<\/li>\n<li>Moderate: 0<\/li>\n<li>Low: 0<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Elevation of Privilege: 37<\/li>\n<li>Remote Code Execution: 21<\/li>\n<li>Information Disclosure: 10<\/li>\n<li>Denial of Service: 8<\/li>\n<li>Spoofing: 3<\/li>\n<li>Security Feature Bypass: 3<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87279\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png\" alt=\"Bar chart showing distribution of critical- and important-class severities across impact classes for October 2022\" width=\"640\" height=\"427\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png?resize=768,512 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png?resize=1024,683 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png?resize=1536,1024 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-1-1.png?resize=2048,1365 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: Far more elevation-of-privilege issues addressed this month, but fully half the remote-code execution issues are Critical-class<\/em><\/p>\n<ul>\n<li>Products:\n<ul>\n<li>Microsoft Windows: 67<\/li>\n<li>Microsoft Office: 5<\/li>\n<li>SharePoint: 4<\/li>\n<li>Azure (including Service Fabric): 3<\/li>\n<li>Visual Studio: 2<\/li>\n<li>.NET: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87280\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png\" alt=\"bar chart showing a very Windows-heavy load of patches for October 2022\" width=\"640\" height=\"407\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png 3071w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png?resize=300,191 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png?resize=768,489 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png?resize=1024,652 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png?resize=1536,978 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-2-1.png?resize=2048,1304 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: Windows, Windows, Windows<\/em><\/p>\n<p><strong>Notable Vulnerabilities<\/strong><\/p>\n<p><strong>Not Present: Exchange <\/strong><\/p>\n<p>System administrators should continue to monitor Microsoft communications for changes and updates regarding the two active Exchange Server vulnerabilities. Sophos will continue to add protections as those become available.<\/p>\n<p><strong>CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, CVE-2022-41081: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerabilities<\/strong><\/p>\n<p>A collection of no fewer than seven Critical remote code execution bugs in the Windows Point-to-Point Protocol (PPTP). Microsoft assesses these are all less likely to be exploited, and there doesn\u2019t look to be any in-the-wild exploitation at the time of going to press. According to the CVSS metric, the attack complexity is high; an attacker would have to craft a malicious PPTP packet, send it to a PPTP server, and win a race condition in order to obtain remote code execution.<\/p>\n<p><strong>CVE-2022-38048, CVE-2022-38049, CVE-2022-41031: Office\/Word Remote Code Execution Vulnerabilities<\/strong><\/p>\n<p>Several Critical Office vulnerabilities this month, which could lead to remote code execution if successfully exploited. It\u2019s worth noting that with all three of these bugs, the attack vector itself is local, and user interaction is required. An attacker would need to craft a file designed to exploit the vulnerability and send the file to a victim \u2013 so there\u2019d probably be an element of social engineering involved as well. While the bugs are rated Critical, there are some upsides: Microsoft assesses exploitation as less likely in both older and newer product versions, and the Preview Pane isn\u2019t an attack vector.<\/p>\n<p><strong>CVE-2022-37987 and CVE-2022-37989: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerabilities<\/strong><\/p>\n<p>A brace of Important privilege escalation vulnerabilities in the Windows Client Server Run-time Subsystem (CSRSS), both of which are rated as more likely to be exploited in both older and newer versions and could result in an attacker gaining SYSTEM privileges. As with most of the bugs so far this month, there\u2019s no evidence they\u2019ve been exploited in the wild or publicly disclosed.<\/p>\n<p><strong>CVE-2022-38022: Windows Kernel Elevation of Privilege Vulnerability<\/strong><\/p>\n<p>An odd little item with a very low (3.1) CVSS, this vuln is interesting not because what it does is so hilariously specific \u2013 as per Microsoft, the ability to delete an empty folder on a file system \u2013 but because it\u2019s a reminder that in a world of chained attacks, a tiny flaw such as this should be patched because it can be part of a bigger attack sequence.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87281\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png\" alt=\"Cumulative bulletin tally for 2022\" width=\"640\" height=\"426\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png?resize=768,512 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png?resize=1024,682 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png?resize=1536,1023 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/figure-3-1.png?resize=2048,1365 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: Elevation of privilege continues to dominate the patches released in 2022<\/em><\/p>\n<p><strong>Sophos protection<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>(Ever wondered about behavior names, by the way? Sophos\u2019 naming conventions line up with the MITRE ATT&amp;CK framework. Details are available <a href=\"https:\/\/docs.sophos.com\/central\/customer\/help\/en-us\/ManageYourProducts\/Overview\/LogsReports\/Logs\/Events\/MaliciousBehaviorTypes\/index.html\">elsewhere on our site<\/a>.)<\/p>\n<p>As you can every month, if you don\u2019t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your particular system\u2019s architecture and build number.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/11\/you-cant-always-get-what-you-want-on-patch-tuesday\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/10\/shutterstock_500146216.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Tue, 11 Oct 2022 17:47:47 +0000<\/strong><\/p>\n<p>No joy for Exchange admins looking to seal off two widely reported Server vulns<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[10516,19245,16771],"class_list":["post-20329","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-microsoft","tag-patch-tuesday","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20329"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20329\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20329"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}