It’s the second week of the month, which means it’s time for Microsoft’s scheduled monthly security update. As has become all too familiar to Microsoft users, this month’s Patch Tuesday update confirms even more Zero-Day (0Day) vulnerabilities, including one that Microsoft claims is being actively exploited.
October Patch Tuesday: 84 vulnerabilities, 13 critical points, 2 zero-days
With some 84 vulnerabilities, this is far from the biggest Patch Tuesday event of the year. However, 13 have a critical severity rating and two are 0 days.
Microsoft defines a 0Day as a vulnerability with no official fix when made public or actively attacked.
In the case of CVE-2022-41033, which Microsoft confirms is being actively exploited in the wild but provides no further information about its exploitation, it affects almost every version of Windows. “All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable,” said Mike Walters, vice president of vulnerability and threat research at Action1.
MORE FROM FORBESGoogle Warns Hackers Not To Break Anything And Not Use Chloroform The Security GuardsBy Davey WinderWhy Is Fixing CVE-2022-41033 So Important?
It does not receive the highest severity rating and comes in with a CVSS score of 7.8. Still, Walters says, “there has been an exploit for this vulnerability for a long time, and it can easily be combined with an RCE exploit.” This slightly increases security efforts because this elevation of privilege vulnerability could give an attacker full system privileges. Sure, the mitigating factor is that to successfully exploit CVE-2022-41033 an attacker needs local access, but exploit-chain quickly dilutes that. This vulnerability, which targets the Windows COM+ Event System, which starts with the operating system by default, should be patched as soon as possible.
CVE-2022-41033 affects almost all versions of Windows and Windows Server
Microsoft
About 39 of the vulnerabilities addressed are elevation of privileges, which isn’t too surprising given that this is one of the most valuable security flaws in an attacker’s mindset.
You can find more details about all the vulnerabilities fixed by the October Patch Tuesday update at this excellent Sans Internet Storm Center resource which includes CVE links to the National Institute of Standards And Technology (NIST) National Vulnerability Database.
MORE FROM FORBES Windows Logo Armed By State-Backed Chinese APT10 Spies In Continued Attacks By Davey Winder Microsoft Fails To Fix Two Exchange Server 0 Days Still Being Abused
Unfortunately, there are still two zero-day vulnerabilities, still being actively exploited by attackers, that Microsoft has yet to fix. Namely, CVE-2022-41040 and CVE-2022-41082, which I reported on last month. Fixes to the Exchange Server 0Day vulnerabilities, confirmed by Microsoft, are not included and will be released “when ready”.