icetray - Fotolia
Microsoft released fixes for a Windows zero-day and a publicly disclosed vulnerability on October Patch Tuesday. But security updates for two Exchange Server zero-days discovered last month are still in limbo.
In total, Microsoft addressed 89 unique CVEs this month with five of the security updates rereleased from August to address issues affecting Exchange Server functionality. Thirteen of the October Patch Tuesday security updates were rated critical.
Windows zero-day tops the patching priority list
The Windows zero-day is an elevation-of-privilege vulnerability (CVE-2022-41033) in Windows COM+ Event System service that is rated important. This bug does not require user interaction, and successfully exploiting the vulnerability gives the attacker system privileges.
This zero-day affects every supported Windows OS, including Windows 7 and Windows Server 2008/R2 in the Extended Security Updates program, which should provide extra incentive for administrators to deploy the October Patch Tuesday fixes promptly.
"It's only rated important, but because it's been exploited in the wild, there's a higher risk associated with it. People should be prioritizing this more urgently," said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company.
Outlook for Mac public disclosure resolved
The public disclosure is a Microsoft Office information disclosure vulnerability (CVE-2022-41043) rated important for two products running on macOS: Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. This bug specifically targets Outlook for Mac, and Microsoft stipulated the preview pane was not an attack vector for the vulnerability. Upon a successful exploit of this flaw, an attacker could retrieve user tokens or other sensitive information. The Common Vulnerability Scoring System (CVSS) rating is relatively low at 3.3, which indicates the danger is minimal.
"While it was publicly disclosed, the code maturity is still listed as unproven, so there are no real samples of exploit code available," Goettl said. "While the public disclosure definitely points to a problem, a threat actor will not have a workable sample to start building off of right away."
Exchange Server zero-days remain unpatched
Other than its earlier mitigation instructions for two Exchange Server zero-days, Microsoft had no further relief for administrators who had to act quickly after a Sept. 29 blog by the Microsoft Security Response Center indicated the on-premises email platform was under attack.
The company disclosed an Exchange Server elevation-of-privilege vulnerability (CVE-2022-41040) and an Exchange Server remote-code execution vulnerability (CVE-2022-41082) -- security researcher Kevin Beaumont dubbed the pair of CVEs as ProxyNotShell -- and issued guidance to protect Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. Microsoft indicated an attacker would need to be authenticated to exploit either Exchange zero-day.
On October Patch Tuesday, Microsoft distributed its October Exchange Server security updates but indicated the two zero-day flaws were not addressed in the release. The company had no timetable for the zero-day patches, saying they would be available when they were ready.
Microsoft released a URL Rewrite rule mitigation for CVE-2022-41040 and advised customers to disable remote PowerShell for any user who was not an administrator to stop attacks based on the CVE-2022-41082 vulnerability.
Microsoft issued several updates to the URL Rewrite rule mitigation to stop specific attack patterns. Customers who enabled the Exchange Emergency Mitigation Service -- available after installing the September 2021 cumulative update or later on Exchange Server 2016 or Exchange Server 2019 -- or used a Microsoft utility called the Exchange On-premises Mitigation Tool v2 at this link got these defensive changes automatically. Without these measures in place, administrators would need to manually update the IIS Manager on Exchange Server.
Also related to Exchange Server, Microsoft reissued five CVEs from August Patch Tuesday (CVE-2022-21979, CVE-2022-21980, CVE-2022-24516, CVE-2022-24477 and CVE-2022-30134) to correct problems with Outlook probes. According to the company, the issues stem from the Windows Extended Protection feature that was introduced with the August Exchange Server security updates. Due to the effort involved with Exchange patching and the risk of inadvertent email downtime, some customers might want to hold off installing the October Exchange security updates.
"Unless the Outlook probe functionality is critical for you for some reason, then it's probably best to wait for the zero-day fixes to come, which I suspect will be released out-of-band rather than in another month," Goettl said.
Other security updates of note for October Patch Tuesday
An elevation-of-privilege vulnerability (CVE-2022-37968) rated critical in the cluster connect feature of Azure Arc-enabled Kubernetes clusters has the highest possible CVSS rating of 10. An attacker who finds the randomly generated external DNS endpoint for the cluster and successfully exploits this flaw could get administrative control over the Kubernetes cluster. Customers will want to either follow the mitigation guidance for manual updates or use the automatic upgrade option to receive the fix.
Three vulnerabilities in Active Directory will warrant prompt administrative attention due to the importance of this identity and access management product. CVE-2022-37976 is a critical elevation-of-privilege flaw in the Active Directory Certificate Services with a CVSS rating of 8.8. CVE-2022-37978 is a security-feature bypass bug rated important in Active Directory Certificate Services. CVE-2022-38042 is an elevation-of-privilege vulnerability rated important in Active Directory Domain Services.
A successful exploit of CVE-2022-37978 would require the threat actor to already be on the network to execute a man-in-the-middle attack. Microsoft indicated a successful exploit of either elevation-of-privilege vulnerability could give the attacker domain administrator privileges.