[German]On October 11, 2022, Microsoft released security updates for Windows clients and servers, for Office, etc. – as well as for other products – were released. The security updates fix 84 vulnerabilities, 13 of which are critical and one 0-day vulnerability. Among other things, a printer vulnerability in Windows, and an Active Directory Certificate Services vulnerability are corrected – both rated critical. Below is a compact overview of these updates released on Patchday.
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Notes on the updates
Windows 10 version 20H2 to 21H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on how to enable the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to vulnerability security patches, the updates include security enhancement measures. Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 3rd year ESU license (or bypasses) will still receive updates. With the current ESU bypass lets install the update. Updates can also be downloaded from the Microsoft Update Catalog. The updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.
The October 2022 security updates fix 84 vulnerabilities, 13 of which are critical and one 0-day vulnerability. A list of all the CVEs covered can be found on this Microsoft page. Tenable also has this blog post with an overview of the fixed vulnerabilities. Here are some important and critical vulnerabilities:
- CVE-2022-41033: Windows COM+ Event System Service elevation of privilege vulnerability, Important, an EoP vulnerability in the Windows COM+ Event System Service that allows system event notifications for COM+ component services. It received a CVSSv3 score of 7.8. An authenticated attacker could exploit this vulnerability to elevate privileges on a vulnerable system and gain SYSTEM privileges.
- CVE-2022-37968: Windows Print Spooler elevation of privilege vulnerability, Critical, an EoP vulnerability in Windows Print Spooler components that has received a CVSSv3 score of 7.8 and has been rated Exploitation More Likely according to Microsoft's Exploitability Index. Exploitation would allow an attacker to gain SYSTEM privileges. The vulnerability was reported to Microsoft by the National Security Agency. This is the third EoP vulnerability in Windows Print Spooler attributed to the NSA this year, following CVE-2022-29104 and CVE-2022-30138 in May.
- CVE-2022-38053, CVE-2022-41036, CVE-2022-41037, CVE-2022-41038: Microsoft SharePoint Server remote code execution vulnerability, Important, RCE vulnerabilities in Microsoft SharePoint Server, all of which received a CVSSv3 score of 8.8. All but CVE-2022-41037 were rated as Exploitation More Likely, and CVE-2022-41038 is the only one rated as Critical. To exploit these vulnerabilities, a network-based attacker must be authenticated with the SharePoint target site and have permission to use Manage Lists.
- CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039: Windows Kernel elevation of privilege vulnerability, Critical, EoP vulnerabilities in the Windows kernel. With the exception of CVE-2022-38022, all CVEs received a CVSSv3 rating of 7.8 and could allow an attacker to elevate privileges on SYSTEM. CVE-2022-38022 received a CVSSv3 rating of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files or delete non-empty folders.
- CVE-2022-41043: Microsoft Office information disclosure vulnerability, Important, An information disclosure vulnerability affecting Microsoft Office for Mac. Local access to the host is required for exploitation. This was the only publicly reported vulnerability patched this month. It is attributed to Cody Thomas of SpecterOps.
- CVE-2022-37976: Active Directory Certificate Services elevation of privilege vulnerability, Critical, EoP-Schwachstelle, EoP vulnerability affecting Active Directory Certificate Services. According to the advisory, a malicious Distributed Component Object Model (DCOM) client could trick a DCOM server into authenticating itself to the client, allowing an attacker to conduct a cross-protocol attack and gain domain administrator privileges. Although Microsoft rates this as "less likely," ransomware groups often look for vulnerabilities and misconfigurations in Active Directory to spread malicious payloads across an organization's network.
Bleeping Computer has published a full list of patched CVE vulnerabilities here. Below is the list of patched products:
- Active Directory Domain Services
- Azure Arc
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft WDAC OLE DB provider for SQL
- NuGet Client
- Remote Access Service Point-to-Point Tunneling Protocol
- Role: Windows Hyper-V
- Service Fabric
- Visual Studio Code
- Windows Active Directory Certificate Services
- Windows ALPC
- Windows CD-ROM Driver
- Windows COM+ Event System Service
- Windows Connected User Experiences and Telemetry
- Windows CryptoAPI
- Windows Defender
- Windows DHCP Client
- Windows Distributed File System (DFS)
- Windows DWM Core Library
- Windows Event Logging Service
- Windows Group Policy
- Windows Group Policy Preference Client
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Local Security Authority (LSA)
- Windows Local Security Authority Subsystem Service (LSASS)
- Windows Local Session Manager (LSM)
- Windows NTFS
- Windows NTLM
- Windows ODBC Driver
- Windows Perception Simulation Service
- Windows Point-to-Point Tunneling Protocol
- Windows Portable Device Enumerator Service
- Windows Print Spooler Components
- Windows Resilient File System (ReFS)
- Windows Secure Channel
- Windows Security Support Provider Interface
- Windows Server Remotely Accessible Registry Keys
- Windows Server Service
- Windows Storage
- Windows TCP/IP
- Windows USB Serial Driver
- Windows Web Account Manager
- Windows Win32K
- Windows WLAN Service
- Windows Workstation Service
Microsoft Office Updates (Oktober 4, 2022)
Microsoft Security Update Summary (October 11, 2022)
Patchday: Windows 10-Updates (October 11, 2022)
Patchday: Windows 11/Server 2022-Updates (October 11, 2022
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (October 11, 2022)
Patchday: Microsoft Office Updates (October 11, 2022)
Cookies helps to fund this blog: Cookie settings