Zero Day Initiative — The October 2022 Security Update Review

The October 2022 Security Update Review

October 11, 2022 | Dustin Childs

Another Patch Tuesday is here, and Adobe and Microsoft have released their latest crop of new security updates and fixes. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for October 2022

For October, Adobe released four patches addressing 29 vulnerabilities in Adobe Acrobat and Reader, ColdFusion, Commerce and Magento, and Adobe Dimension. A total of 22 of these bugs were reported through the ZDI program. The fix for ColdFusion seems to be the most critical, with multiple CVSS 9.8 code execution bugs being addressed. There’s also a fix for a bug in the Admin Component service. The service uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Hard to imagine hard-coded credentials have existed in the product for so long without being discovered.

The Commerce and Magento update addresses only one bug, but it’s a CVSS 10. If you’re using either of these products, ensure you test and deploy this quickly to fix the stored cross-site scripting (XSS) bug. The patch for Acrobat and Reader fixes six bugs, with the most severe being stack-based buffer overflows that could lead to code execution. A threat actor would need to trick someone into opening a specially crafted PDF to get arbitrary code exec. The fix for Dimension corrects nine bugs, eight of which are rated critical. Most of these are file parsing bugs and would require user interaction to exploit.  

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2022

This month, Microsoft released 85 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS). This is in addition to the 11 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 96. Six of these CVEs were submitted through the ZDI program.

What may be more interesting is what isn’t included in this month’s release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.

Of the 85 new patches released today, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. This volume is somewhat in line with what we’ve seen in previous October releases, but it does put Microsoft on track to exceed its 2021 total. If that happens, 2022 would the second busiest year for Microsoft CVEs. One of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

-       CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability
This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.

-       CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.

-       CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.

-       CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability
This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.

Here’s the full list of CVEs released by Microsoft for October 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability Important 4 Yes No Info
CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability Critical 10 No No EoP
CVE-2022-38049 Microsoft Office Graphics Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-41038 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-34689 Windows CryptoAPI Spoofing Vulnerability Critical 7.5 No No Spoofing
CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-37979 Windows Hyper-V Elevation of Privilege Vulnerability Critical 7.8 No No EoP
CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-38021 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-38036 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-37977 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-37983 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38040 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-38001 Microsoft Office Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2022-41036 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-41037 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-38053 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-37982 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-38031 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-37971 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-41032 NuGet Client Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38045 Server Service Remote Protocol Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-35829 Service Fabric Explorer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2022-38017 StorSimple 8000 Series Elevation of Privilege Vulnerability Important 6.8 No No EoP
CVE-2022-41083 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-41042 Visual Studio Code Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2022-41034 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-38046 Web Account Manager Information Disclosure Vulnerability Important 6.2 No No Info
CVE-2022-38050 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37978 Windows Active Directory Certificate Services Security Feature Bypass Important 7.5 No No SFB
CVE-2022-38029 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-38044 Windows CD-ROM File System Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-37989 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37987 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37980 Windows DHCP Client Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38026 Windows DHCP Client Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-38025 Windows Distributed File System (DFS) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-37970 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37981 Windows Event Logging Service Denial of Service Vulnerability Important 4.3 No No DoS
CVE-2022-33635 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-38051 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37997 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37985 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-37975 Windows Group Policy Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37999 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37993 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37994 Windows Group Policy Preference Client Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37995 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37988 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38037 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38038 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37990 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38039 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37991 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38022 Windows Kernel Elevation of Privilege Vulnerability Important 2.5 No No EoP
CVE-2022-37996 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-37998 Windows Local Session Manager (LSM) Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2022-37973 Windows Local Session Manager (LSM) Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2022-37974 Windows Mixed Reality Developer Tools Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-35770 Windows NTLM Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2022-37965 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2022-38032 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability Important 5.9 No No SFB
CVE-2022-38028 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38003 Windows Resilient File System Elevation of Privilege Important 7.8 No No EoP
CVE-2022-38041 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-38043 Windows Security Support Provider Interface Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-38033 Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-38027 Windows Storage Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-38030 Windows USB Serial Driver Information Disclosure Vulnerability Important 4.3 No No Info
CVE-2022-37986 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37984 Windows WLAN Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38034 Windows Workstation Service Elevation of Privilege Vulnerability Important 4.3 No No EoP
CVE-2022-41035 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 8.3 No No Spoofing
CVE-2022-3304 * Chromium: CVE-2022-3304 Use after free in CSS High N/A No No RCE
CVE-2022-3307 * Chromium: CVE-2022-3307 Use after free in Media High N/A No No RCE
CVE-2022-3370 * Chromium: CVE-2022-3370 Use after free in Custom Elements High N/A No No RCE
CVE-2022-3373 * Chromium: CVE-2022-3373 Out of bounds write in V8 High N/A No No RCE
CVE-2022-3308 * Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools Medium N/A No No SFB
CVE-2022-3310 * Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs Medium N/A No No SFB
CVE-2022-3311 * Chromium: CVE-2022-3311 Use after free in Import Medium N/A No No RCE
CVE-2022-3313 * Chromium: CVE-2022-3313 Incorrect security UI in Full Screen Medium N/A No No SFB
CVE-2022-3315 * Chromium: CVE-2022-3315 Type confusion in Blink Medium N/A No No RCE
CVE-2022-3316 * Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing Low N/A No No Spoofing
CVE-2022-3317 * Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents Low N/A No No Spoofing

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the Critical-rated patches, the update for Active Directory Certificate Services (ADCS) stands out the most as successful exploitations would provide the attacker domain administrative privileges. However, exploiting this would be tricky. A malicious DCOM client would need to trick a DCOM server to authenticate to it through ADCS and then use the credential to launch a cross-protocol attack. There are seven Critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP). If you’re still using this, consider migrating to a more modern (and secure) solution. There’s a fix for a guest-to-host escape in Hyper-V that could result in the attacker executing code on the root OS. In addition to the one mentioned above, there are two other Critical-rated bugs impacting Office components. Neither have a Preview Pane attacker vector, so it’s not clear why the Critical rating applies. Speaking of confusing, there’s a Critical fix for SharePoint that reads identical to the Important-rated SharePoint fixes. Microsoft offers no clarity on why this bug is different.

There are only nine other fixes for remote code execution vulnerabilities, including three for SharePoint that have the same description as the Critical-rated SharePoint bugs already mentioned. There are two patches for the WDAC OLE DB provider for SQL Server and one for the ODBC Driver itself. There’s a fix for an RCE in Visual Studio Code, but no details are provided on what the attack scenario would be. That’s not the case for the GDI+ bug. An attacker would need to convince a user to browse to a malicious website or open a specially crafted file to get code execution. Finally, former Pwn2Own winner Bien Pham from Team Orca of Sea Security reported a code execution bug in the CD-ROM driver through the ZDI program. It’s an integer overflow that could lead to an out-of-bound write on kernel heap memory. In this case, an attacker would need to convince someone to open a malicious .iso file, which does seem a bit unlikely.

A total of 39 bugs in this release are Elevation of Privilege (EoP) bugs, including those mentioned above. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the patch for the print spooler. While we’re certainly used to spooler updates by now, this one was reported by the National Security Agency (NSA). The EoP in the Workstation service requires privileges, but it can be reached remotely. An attacker could execute RPC functions that are normally restricted to the local client. You would also need to be authenticated to send malicious RPC calls to the DHCP service to escalate to SYSTEM. The bug in Active Directory Domain Services could allow an attacker to get domain administrator privileges, but Microsoft offers no details on how that would occur. The NuGet package manager for .NET receives a fix impacting multiple NuGet versions. The fix for Visual Studio Code contains an …uh… interesting workaround:

“Create a folder C:\ProgramData\jupyter\kernels\ and configure it to be writable only by the current user.”

It’s not clear why this prevents the attack, but Microsoft claims it will. Lastly, the EoP in the Local Security Authority (LSA) could lead to a sandbox escape.

The October release includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known. Most of the other info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There are a couple of notable exceptions. The bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud. The patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system. The final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.

There are two patches for Security Features Bypass (SFB) vulnerabilities this month, and the first requires physical access. On systems with outdated USB controller hardware, a Group Policy might have silently failed, which would leave the Windows Portable Device Enumerator Service open to attacks that rely on inserting a USB storage device. The SFB bug in Active Directory Certificate Services requires a Man-in-the-Middle (MiTM) and applies to Windows Challenge/Response (NTLM) authentication.

Eight different DoS vulnerabilities are patched this month. Probably the most interesting is the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction. Microsoft states systems with IPv6 disabled aren’t affected, but IPv6 comes enabled by default on most systems these days. Microsoft provides no further details about the seven other DoS patches.

The October release is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based). The most interesting is the Critical-rated fix for the Windows CryptoAPI. This bug could allow an attacker to spoof an existing public x.509 certificate to authenticate or sign code as the targeted certificate. I’m sure malware authors will definitely try to use this one in the near future. There’s also a store cross-site scripting (XSS) bug in the Service Fabric Explorer. If you’re using this, you need to ensure you are on the latest version by following these instructions. No additional details are provided about the spoofing bugs in Office or NTLM.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on November 8, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!