Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Home/Microsoft, Security Advisory, Security Update/Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Microsoft released fixes for a Windows zero-day and a publicly disclosed vulnerability on October Patch Tuesday but security updates for two Exchange Server zero-days discovered last month are still in limbo.

Recent news reports show that Microsoft’s Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.

It appears that out of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server.

Notably, the patches come alongside updates to resolve 12 other flaws in the Chromium-based Edge browser that have been released since the beginning of the month.

The new zero-day is an elevation of privilege vulnerability in the Windows COM+ Event System Service, and is likely being used alongside other exploits to take over a target system. It is tracked as CVE-2022-41033.

“All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable. The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,” he said.

Lastly, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Server Service Remote Protocol (CVE-2022-38045, CVSS score: 8.8).

As for critical bugs, there are 15 rated as critical in the October update. These are as follows:

  • CVE-2022-22035, a remote code execution (RCE) vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-24504, a second RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-30198, a third RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-33634, yet another RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-34689, a spoofing vulnerability in Windows CryptoAPI;
  • CVE-2022-37968, a privilege escalation vulnerability in Azure Arc-enabled Kubernetes clusters;
  • CVE-2022-37976, a privilege escalation vulnerability in Active Directory Certificate Services;
  • CVE-2022-37979, a privilege escalation vulnerability in Windows Hyper-V;
  • CVE-2022-38000, another RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-38047, the sixth RCE vulnerability in the Windows Point-to-Point Tunneling Protocol;
  • CVE-2022-38048, an RCE vulnerability in Microsoft Office;
  • CVE-2022-38049, an RCE vulnerability in Microsoft Office Graphics;
  • CVE-2022-41031, an RCE vulnerability in Microsoft Word;
  • CVE-2022-41038, an RCE vulnerability in Microsoft SharePoint Server;
  • And CVE-2022-41081, which takes the total of critical RCE vulnerabilities in the Windows Point-to-Point Tunneling Protocol to seven.
Post Views: 429
By | 2022-10-12T19:53:33+05:30 October 12th, 2022|Microsoft, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!