Patch Tuesday – October 2022

October 11, 2022 by Bryson Medlock

Patch Tuesday – October 2022

October 11, 2022 by Bryson Medlock

 

Today is once again Patch Tuesday, the second Tuesday of the month when Microsoft and other vendors push out security updates to their products. This month, Microsoft has released 83 security updates for their products this month and Adobe has released 19. Of the 83 released by Microsoft, 14 are rated with a severity of Critical, and 69 as Important. One of the Important vulnerabilities has already been publicly disclosed and a different one has been observed being exploited in the wild, also known as a zero-day vulnerability. Of the 14 Critical vulnerabilities patched this month, 3 are for Elevation of Privileges (2 for Azure and 1 for Hypber-V) and the other 11 are all Remote Code Execution (RCE) vulnerabilities.

The one disclosed vulnerability that has been publicly disclosed is CVE-2022-41043, which is a Microsoft Office Information Disclosure Vulnerability that affects Office 2019 for Mac and Office LTSC for Mac 2021. Microsoft gives credit to Cody Thomas with SpecterOps for discovering this vulnerability which can be used to gain access to a user’s authentication tokens. The zero-day vulnerability disclosed this month is CVE-2022-41033, a privilege elevation vulnerability in the Windows COM+ Event System Service. Microsoft does not provide much details regarding this vulnerability except to say that an attacker could use this to gain SYSTEM privileges on a system they already have access to. Microsoft disclosed seven Critical RCE vulnerabilities in their implementation of the Point-to-Point Tunneling Protocol (PPTP): CVE-2022-22035, CVE-2022-24504, CVE-2022-30198, CVE-2022-33634, CVE-2022-38000, CVE-2022-38047, and CVE-2022-41081. All seven require an attacker to craft a PPTP packet that could allow an attacker to execute code remotely on a server and are credited to Yuki Chen with Cyber KunLun.

Microsoft has not yet released patches for the two Microsoft Exchange vulnerabilities disclosed at the end of September collectively referred to as ProxyNotShell, CVE-2022-41040 and CVE-2022-41082. They have, however, updated the original mitigation guidance a few times as multiple bypasses have been discovered. You can follow the latest to protect your on-prem Exchange servers by visiting Microsoft's blog post.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.

 

KB Article Applies To
5018410 Windows 10, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2
5018418 Windows 11 version 21H2
5018419 Windows 10, version 1809, Windows Server 2019
5018421 Windows Server 2022
5018446 Windows Server 2008 (Security-only update)
5018450 Windows Server 2008 (Monthly Rollup)
5018454 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
5018457 Windows Server 2012 (Monthly Rollup)
5018474 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
5018476 Windows 8.1, Windows Server 2012 R2 (Security-only update)
5018478 Windows Server 2012 (Security-only update)
5018479 Windows 7, Windows Server 2008 R2 (Security-only update)