Zero Day Initiative — The October 2022 Security Update Review (2023)

Another Patch Tuesday is here, and Adobe and Microsoft have released their latest crop of new security updates and fixes. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for October 2022

For October, Adobe released four patches addressing 29 vulnerabilities in Adobe Acrobat and Reader, ColdFusion, Commerce and Magento, and Adobe Dimension. A total of 22 of these bugs were reported through the ZDI program. The fix for ColdFusion seems to be the most critical, with multiple CVSS 9.8 code execution bugs being addressed. There’s also a fix for a bug in the Admin Component service. The service uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Hard to imagine hard-coded credentials have existed in the product for so long without being discovered.

The Commerce and Magento update addresses only one bug, but it’s a CVSS 10. If you’re using either of these products, ensure you test and deploy this quickly to fix the stored cross-site scripting (XSS) bug. The patch for Acrobat and Reader fixes six bugs, with the most severe being stack-based buffer overflows that could lead to code execution. A threat actor would need to trick someone into opening a specially crafted PDF to get arbitrary code exec. The fix for Dimension corrects nine bugs, eight of which are rated critical. Most of these are file parsing bugs and would require user interaction to exploit.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

(Video) The Patch Report for October 2022

Microsoft Patches for October 2022

This month, Microsoft released 85 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS). This is in addition to the 11 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 96. Six of these CVEs were submitted through the ZDI program.

What may be more interesting is what isn’t included in this month’s release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.

Of the 85 new patches released today, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. This volume is somewhat in line with what we’ve seen in previous October releases, but it does put Microsoft on track to exceed its 2021 total. If that happens, 2022 would the second busiest year for Microsoft CVEs. One of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

- CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability
This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.

- CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.

(Video) The Patch Report for September 2022

- CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.

- CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability
This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.

Here’s the full list of CVEs released by Microsoft for October 2022:

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

(Video) The Patch Report for November 2022

Looking at the rest of the Critical-rated patches, the update for Active Directory Certificate Services (ADCS) stands out the most as successful exploitations would provide the attacker domain administrative privileges. However, exploiting this would be tricky. A malicious DCOM client would need to trick a DCOM server to authenticate to it through ADCS and then use the credential to launch a cross-protocol attack. There are seven Critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP). If you’re still using this, consider migrating to a more modern (and secure) solution. There’s a fix for a guest-to-host escape in Hyper-V that could result in the attacker executing code on the root OS. In addition to the one mentioned above, there are two other Critical-rated bugs impacting Office components. Neither have a Preview Pane attacker vector, so it’s not clear why the Critical rating applies. Speaking of confusing, there’s a Critical fix for SharePoint that reads identical to the Important-rated SharePoint fixes. Microsoft offers no clarity on why this bug is different.

There are only nine other fixes for remote code execution vulnerabilities, including three for SharePoint that have the same description as the Critical-rated SharePoint bugs already mentioned. There are two patches for the WDAC OLE DB provider for SQL Server and one for the ODBC Driver itself. There’s a fix for an RCE in Visual Studio Code, but no details are provided on what the attack scenario would be. That’s not the case for the GDI+ bug. An attacker would need to convince a user to browse to a malicious website or open a specially crafted file to get code execution. Finally, former Pwn2Own winner Bien Pham from Team Orca of Sea Security reported a code execution bug in the CD-ROM driver through the ZDI program. It’s an integer overflow that could lead to an out-of-bound write on kernel heap memory. In this case, an attacker would need to convince someone to open a malicious .iso file, which does seem a bit unlikely.

A total of 39 bugs in this release are Elevation of Privilege (EoP) bugs, including those mentioned above. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the patch for the print spooler. While we’re certainly used to spooler updates by now, this one was reported by the National Security Agency (NSA). The EoP in the Workstation service requires privileges, but it can be reached remotely. An attacker could execute RPC functions that are normally restricted to the local client. You would also need to be authenticated to send malicious RPC calls to the DHCP service to escalate to SYSTEM. The bug in Active Directory Domain Services could allow an attacker to get domain administrator privileges, but Microsoft offers no details on how that would occur. The NuGet package manager for .NET receives a fix impacting multiple NuGet versions. The fix for Visual Studio Code contains an …uh… interesting workaround:

“Create a folder C:\ProgramData\jupyter\kernels\ and configure it to be writable only by the current user.”

It’s not clear why this prevents the attack, but Microsoft claims it will. Lastly, the EoP in the Local Security Authority (LSA) could lead to a sandbox escape.

The October release includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known. Most of the other info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There are a couple of notable exceptions. The bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud. The patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system. The final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.

(Video) Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories

There are two patches for Security Features Bypass (SFB) vulnerabilities this month, and the first requires physical access. On systems with outdated USB controller hardware, a Group Policy might have silently failed, which would leave the Windows Portable Device Enumerator Service open to attacks that rely on inserting a USB storage device. The SFB bug in Active Directory Certificate Services requires a Man-in-the-Middle (MiTM) and applies to Windows Challenge/Response (NTLM) authentication.

Eight different DoS vulnerabilities are patched this month. Probably the most interesting is the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction. Microsoft states systems with IPv6 disabled aren’t affected, but IPv6 comes enabled by default on most systems these days. Microsoft provides no further details about the seven other DoS patches.

The October release is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based). The most interesting is the Critical-rated fix for the Windows CryptoAPI. This bug could allow an attacker to spoof an existing public x.509 certificate to authenticate or sign code as the targeted certificate. I’m sure malware authors will definitely try to use this one in the near future. There’s also a store cross-site scripting (XSS) bug in the Service Fabric Explorer. If you’re using this, you need to ensure you are on the latest version by following these instructions. No additional details are provided about the spoofing bugs in Office or NTLM.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on November 8, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

(Video) Constitution, Europe, External Affairs and Culture Committee - 6 October 2022

FAQs

What is Microsoft zero day vulnerability? ›

A zero-day vulnerability is a flaw in software programming that has been discovered before a vendor or programmer has been made aware of it.

What is zero day patching process? ›

The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they've had “0” days to work on a security patch or an update to fix the issue. “Zero-Day” is commonly associated with the terms Vulnerability, Exploit, and Threat.

Is zero-day a malware? ›

Zero day malware is malware that exploits unknown and unprotected vulnerabilities. This novel malware is difficult to detect and defend against, making zero day attacks a significant threat to enterprise cybersecurity.

What is the best control against the zero-day vulnerability? ›

One of the most effective ways to prevent zero-day attacks is deploying a web application firewall (WAF) on the network edge. A WAF reviews all incoming traffic and filters out malicious inputs that might target security vulnerabilities.

What are the most recent zero-day attacks? ›

Zero-Day Attack Cyber Security

Zero-day attackers can steal data, corrupt files, take control of devices, install malware or spyware, and more. The December 2021 Log4j vulnerability that impacted Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM is just the latest serious threat.

What is zero-day cyber security? ›

"Zero-day" is a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems. The term "zero-day" refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it.

What is zero-day in network security? ›

What is a zero-day vulnerability? A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.

What are the risks in zero-day exploits? ›

A zero-day exploit is one of the severest malware threats. Cyber attacks can have severe consequences for businesses, as hackers can steal money, data, or intellectual property that compromises your operations. And no companies are immune.

Who are the targets for zero-day exploits? ›

Zero-day exploit typically targets large organizations, government departments, firmware, hardware devices, IoT, users having access to valuable business data, etc.

What is zero-day exploit Google Chrome? ›

This security bug (CVE-2022-4262; QID 377804) is a Type Confusion vulnerability in Chrome's V8 JavaScript Engine. Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.

Why are zero-day vulnerabilities so difficult to defend against? ›

The threat of a Zero-Day Exploit

Exploits are very difficult to defend against because data about the exploit is generally only available for analysis after the attack has completed its course. These attacks can take the form of polymorphic worms, viruses, Trojans, and other malware.

How many zero-day exploits are there? ›

Mandiant analyzed more than 200 zero-day vulnerabilities that we identified as exploited in the wild from 2012 to 2021. Mandiant considers a zero-day to be a vulnerability that was exploited in the wild before a patch was made publicly available.

What is an example of a zero-day exploit? ›

Strontium's spear phishing emails contained a zero-day exploit that targeted vulnerabilities in Microsoft Windows and Adobe Flash.

How many zero-day exploits in 2022? ›

Findings from GPZ reveal that out of 18 zero-day vulnerabilities used by hackers in the first six months of 2022 before a fix via a software update became available, half could have been avoided had software vendors performed more rigorous testing and created more comprehensive patches.

How many zero-day attacks in 2022? ›

Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.

How many zero days in 2022? ›

At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project, almost double the total for 2020, and more than in any other year on record.

Why are zero-day attacks on the rise? ›

Zero-day malware attacks are rising because cybercrime is becoming a more lucrative business, and hackers have figured out how to profit from them. Zero-day malware attacks are so named because they happen on the same day that a flaw in software is discovered.

What is the Log4j zero-day? ›

Per Nozomi Networks attack analysis, the “new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE).” Attackers can use this security vulnerability in the Java logging library to insert text into log messages that load the code from a remote server ...

Why is zero-day malware a strong weapon for hackers? ›

A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before the vendor has become aware of it. At that point, no patch exists, so attackers can easily exploit the vulnerability knowing that no defenses are in place. This makes zero-day vulnerabilities a severe security threat.

What is Microsoft Office zero-day? ›

Researchers over the Memorial Day holiday disclosed a zero-day vulnerability in Microsoft Office, which allows an attacker to gain remote code execution when a user downloads a malicious Word document. The vulnerability, discovered on May 27 by Nao_Sec, was dubbed “Follina” by researcher Kevin Beaumont.

What does zero-day mean in cyber security? ›

"Zero-day" is a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems. The term "zero-day" refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it.

What is the Log4j zero-day vulnerability? ›

Per Nozomi Networks attack analysis, the “new zero-day vulnerability in the Apache Log4j logging utility that has been allowing easy-to-exploit remote code execution (RCE).” Attackers can use this security vulnerability in the Java logging library to insert text into log messages that load the code from a remote server ...

What is the CVE for the Microsoft Zero Logon vulnerability? ›

Zerologon (CVE-2020-1472) is a critical vulnerability that affects Windows servers. Given certain circumstances, this vulnerability can allow an attacker to bypass authentication and then gain administrator-level privileges in a matter of seconds.

Is Microsoft Office being phased out? ›

Is Office going away entirely? No, as part of Microsoft 365 you will continue to get access to apps like Word, Excel, PowerPoint and Outlook. We will also continue to offer one-time purchases of those apps to consumers and businesses via Office 2021 and Office LTSC plans.

Can I use Microsoft Office without paying? ›

The good news is if you don't need the full suite of Microsoft 365 tools, you can access a number of its apps online for free -- including Word, Excel, PowerPoint, OneDrive, Outlook, Calendar and Skype. Here's how to get them: 1. Go to Office.com.

How can I get Microsoft Office for free without paying? ›

How to get Microsoft Office suite free if you're anyone else
  1. Go to Office.com.
  2. Click Sign up for the free version of Office under the "Sign in" button.
  3. Log in to your Microsoft account or create one for free. ...
  4. Select the app you want to use, and save your work in the cloud with OneDrive.

What are the latest zero-day vulnerabilities? ›

What are the four new Windows zero-days? CVE-2022-41073 is a Windows print spooler elevation of privilege vulnerability which could enable an attacker to gain system privileges. Most every version of Windows and Windows Server are impacted by this actively exploited issue.

How many zero-day attacks are there? ›

In 2021, the Mandiant report found 80 zero-days exploited, which more than doubled the previous record set in 2019. The primary actors exploiting these vulnerabilities continue to be.

Should I be worried about Log4j vulnerability? ›

Many software use logs for development and security purposes. Log4j is a part of this logging process. Hence, it is highly possible that the vulnerability could affect millions and millions of victims. Individuals as well as organisations are affected by this.

What devices are affected by Log4j? ›

Top 10 Impacted Vendors
  • Adobe. Adobe found that ColdFusion 2021 is subject to Log4Shell and released a security update to address the problem on December 14. ...
  • Cisco. ...
  • F-Secure. ...
  • Fortinet. ...
  • FortiGuard. ...
  • IBM. ...
  • Okta. ...
  • VMware.
Feb 15, 2022

How does Log4j affect me? ›

The Log4j exploit, also known as the Log4Shell vulnerability, allows threat actors to take control of web-facing servers by feeding them a malicious text string.

Has Zerologon been patched? ›

As promised, Microsoft completed its two-phase rollout to address Zerologon in the February 2021 Patch Tuesday release.

Is Log4Shell zero-day vulnerability? ›

Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.

Do hackers use CVE? ›

Yes, hackers can use CVE to attack your organization. While it works to your benefit to identify vulnerabilities, hackers are also on the lookout for which of these vulnerabilities they can exploit.

Videos

1. Finance and Public Administration Committee - 25 October 2022
(The Scottish Parliament)
2. Post Office Horizon IT Inquiry - Peter Copping - Day 7 PM Live Stream (21 October 2022)
(Post Office Horizon IT Inquiry)
3. Southwark Council Overview and Scrutiny Committee - 12 October 2022
(southwarkcouncil)
4. The True Cost Of The Qatar 2022 World Cup | True Cost | Business Insider
(Insider Business)
5. WARNING: The Great Reset Of 2022 Explained
(Graham Stephan)
6. Standing Finance Committee Day 4 (Part 1) - 3rd Session - October 10, 2022
(ParlView)
Top Articles
Latest Posts
Article information

Author: Madonna Wisozk

Last Updated: 12/11/2022

Views: 6667

Rating: 4.8 / 5 (68 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.