Cookie Consent by Free Privacy Policy Generator website The September 2022 Security Update Review u

Portal Nachrichten

628 FEEDS: viele neue ai feets und Windows Tipps und Tricks. Diverse caching Probleme. 3.12.22.


➠ The September 2022 Security Update Review

Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for September 2022

 For September, Adobe released seven patches addressing 63 in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. A total of 42 of these bugs were reported by ZDI Sr Vulnerability Researcher Mat Powell. The update for InDesign is the largest patch this month, with eight Critical-rated and 10 Important-rated vulnerabilities receiving fixes. The most severe of these could lead to code execution if a specially crafted file is opened on an affected system. The patch for Photoshop fixes 10 CVEs, nine of which are rated Critical. Again, an attacker can get code execution if they can convince a user to open a malicious file. The fix for InCopy fixes five similar code execution bugs and two info disclosure bugs. Adobe Animate also receives patches for two Critical-rated code execution bugs.

The update for Adobe Bridge corrects 10 Critical-rated code execution bugs and two Important-rated info disclosure bugs. One of the three Illustrator vulnerabilities getting patched could also lead to code execution. As with the bugs previously mentioned, a user would need to open a malicious file with an affected software version. Finally, the patch for Adobe Experience Manager addresses 11 Important-rated bugs, primarily of the cross-site scripting (XSS) variety.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Apple Patches for September 2022

Yesterday, Apple released updates for iOS, iPadOS, macOS, and Safari. They also released updates for watchOS and tvOS but provided no details on any of the fixes included in these patches. Two of the bugs patched by Apple were identified as being under active exploit. The first is a kernel bug (CVE-2022-32917) resulting from improper bounds checking. It affects iOS 15 and iPadOS 15, macOS Big Sur, and macOS Monterey. Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS. The Big Sur version of macOS also includes a fix for an Out-of-Bounds (OOB) Write bug in the kernel (CVE-2022-32894) that’s also listed as under active attack. One final note: Apple states in its iOS 16 advisory that “Additional CVE entries to be added soon.” It is possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.

Microsoft Patches for September 2022

This month, Microsoft released 64 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel (really). This is in addition to the 15 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 79. Five of these CVEs were submitted through the ZDI program.

The volume of fixes released this month is about half of what we saw in August, but it is in line with the volume of patches from previous September releases. For whatever reason, the last quarter of the calendar year tends to have fewer patches released. We’ll see if that trend continues in 2022.

Of the 64 new CVEs released today, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. One of these new CVEs is listed as publicly known and under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the CLFS bug under active attack:

-       CVE-2022-37969 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
This bug in the Common Log File System (CLFS) allows an authenticated attacker to execute code with elevated privileges. Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link. Once they do, additional code executes with elevated privileges to take over a system. Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.

-       CVE-2022-34718 - Windows TCP/IP Remote Code Execution Vulnerability
This Critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction. That officially puts it into the “wormable” category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.

-       CVE-2022-34724 - Windows DNS Server Denial of Service Vulnerability
This bug is only rated Important since there’s no chance of code execution, but you should probably treat it as Critical due to its potential impact. A remote, unauthenticated attacker could create a denial-of-service (DoS) condition on your DNS server. It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises.

-       CVE-2022-3075 - Chromium: CVE-2022-3075 Insufficient data validation in Mojo
This patch was released by the Google Chrome team back on September 2, so this is more of an “in case you missed it.” This vulnerability allows code execution on affected Chromium-based browsers (like Edge) and has been detected in the wild. This is the sixth Chrome exploit detected in the wild this year. The trend shows the near-ubiquitous browser platform has become a popular target for attackers. Make sure to update all of your systems based on Chromium.

Here’s the full list of CVEs released by Microsoft for September 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-37969 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 Yes Yes EoP
CVE-2022-23960 * Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability Important N/A Yes No Info
CVE-2022-34700 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-35805 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-34721 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-34722 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-34718 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-38013 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-26929 .NET Framework Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-38019 AV1 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-38007 Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37954 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35838 HTTP V3 Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-35828 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34726 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-34727 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-34730 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-34732 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-34734 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-37963 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-38010 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-34731 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-34733 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35834 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35835 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35836 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35840 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-37962 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-35823 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-37961 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-38008 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-38009 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-37959 Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2022-38011 Raw Image Extension Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2022-35830 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-37958 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-38020 Visual Studio Code Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2022-34725 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-35803 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30170 Windows Credential Roaming Service Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2022-34719 Windows Distributed File System (DFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34724 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-34723 Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-35841 Windows Enterprise App Management Service Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-35832 Windows Event Tracing Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-38004 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-34729 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-38006 Windows Graphics Component Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-34728 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-35837 Windows Graphics Component Information Disclosure Vulnerability Important 5 No No Info
CVE-2022-37955 Windows Group Policy Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-34720 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-33647 Windows Kerberos Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-33679 Windows Kerberos Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-37956 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37957 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-37964 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30200 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26928 Windows Photo Import API Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-38005 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-35831 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30196 Windows Secure Channel Denial of Service Vulnerability Important 8.2 No No DoS
CVE-2022-35833 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-38012 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Low 7.7 No No RCE
CVE-2022-3038 * Chromium: CVE-2022-3038 Use after free in Network Service Critical N/A No No RCE
CVE-2022-3075 * Chromium: CVE-2022-3075 Insufficient data validation in Mojo High N/A No Yes RCE
CVE-2022-3039 * Chromium: CVE-2022-3039 Use after free in WebSQL High N/A No No RCE
CVE-2022-3040 * Chromium: CVE-2022-3040 Use after free in Layout High N/A No No RCE
CVE-2022-3041 * Chromium: CVE-2022-3041 Use after free in WebSQL High N/A No No RCE
CVE-2022-3044 * Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation High N/A No No N/A
CVE-2022-3045 * Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8 High N/A No No RCE
CVE-2022-3046 * Chromium: CVE-2022-3046 Use after free in Browser Tag High N/A No No RCE
CVE-2022-3047 * Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API Medium N/A No No SFB
CVE-2022-3053 * Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock Medium N/A No No N/A
CVE-2022-3054 * Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools Medium N/A No No SFB
CVE-2022-3055 * Chromium: CVE-2022-3055 Use after free in Passwords Medium N/A No No RCE
CVE-2022-3056 * Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy Low N/A No No SFB
CVE-2022-3057 * Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox Low N/A No No EoP
CVE-2022-3058 * Chromium: CVE-2022-3058 Use after free in Sign-In Flow Low N/A No No RCE

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Checking the remaining Critical-rated updates, there are two for Windows Internet Key Exchange (IKE) Protocol Extensions that could also be classified as “wormable.” For both bugs, only systems running IPSec are affected. There are also two Critical-rated vulnerabilities in Dynamics 365 (On-Premises) that could allow an authenticated user to perform SQL injection attacks and execute commands as db_owner within their Dynamics 356 database.

Moving on to other code execution bugs, more than half of this month’s release involves some form of remote code execution. Of these, the patches for SharePoint stand out. Microsoft recently detailed how a SharePoint bug was used by Iranian threat actors against the Albanian government, resulting in Albania breaking off diplomatic relations with Iran. Those attacks involved a SharePoint bug we had previously blogged about. These new SharePoint cases do require authentication, but they sound very similar to other SharePoint bugs that came through the ZDI program. There are six RCE bugs in OLE DB Provider for SQL Server, but they require user interaction. A threat actor would need a user on an affected system to connect to a malicious SQL server via OLEDB, which could result in the target server receiving a malicious packet, resulting in code execution. There are five RCE bugs in the ODBC driver that also require user interaction. For these, opening a malicious MDB in Access would get code execution, similar to the other open-and-own bugs in Office components. The bug in LDAP also requires user interaction, but no other information about the exploit scenario is given.

The bug in the Enterprise App Management component requires authentication, but it’s still intriguing. An attacker could use the vulnerability to install arbitrary SYSTEM services that would then run with SYSTEM privileges. I could definitely see this bug being used after an initial breach for lateral movement and to maintain a presence on a target network. The RPC bug also looks interesting, but it’s likely not as practical since an attacker would need to spoof the localhost IP address of the target. There’s an RCE bug in .NET, but no information besides the requirement for user interaction is given. Finally, there are updates for the AV1 video extension and the Raw image extension. Both updates are delivered automatically through the Microsoft store. If you’re in a disconnected environment, you’ll need to apply these updates manually.

There are a total of 19 elevation of privilege (EoP) fixes in this month’s release, including the aforementioned patch for CLFS. Many of these require an authenticated user to run specially crafted code on an affected system. The bug in Windows Defender for Mac fits this description, as do the kernel-related patches. However, there are a couple of interesting bugs that don’t fit this profile. The first of these is a bug in the Credential Roaming Service that could allow attackers to gain remote interactive logon rights on a machine. There are two bugs in Kerberos that could lead to SYSTEM, but both have many caveats, so exploitation is unlikely. The EoP in Azure Guest Configuration and Arc-Enabled servers is fascinating for multiple reasons. A threat actor could use this vulnerability to replace Microsoft-shipped code with their own code, which would then be run as root in the context of a Guest Configuration daemon. On an Azure Arc-enabled server, it could run in the context of the GC Arc Service or Extension Service daemons. While this is interesting on its own, the mere fact that Microsoft is producing patches for the Linux kernel boggles the mind. And, of course, it wouldn’t be a monthly update if it didn’t include a patch for the print spooler.

The September release includes six patches for information disclosure vulnerabilities. For the most part, these only result in leaks consisting of unspecified memory contents. One exception is the bug impacting the Data Protection Application Programming Interface (DPAPI). If you aren’t familiar with it, DPAPI allows you to encrypt data using information from the current user account or computer. The bug patched this month could allow an attacker to view the DPAPI master key. The vulnerability in the Windows graphics component could leak metafile memory values, although it’s not clear what an attacker could do with this information.

Seven different DoS vulnerabilities are patched this month, including the DNS bug previously mentioned above. Two bugs in secure channel would allow an attacker to crash a TLS by sending specially crafted packets. There’s a DoS in IKE, but unlike the code execution bugs listed above, no IPSec requirements are listed here. If you’re running newer OSes with the latest features, don’t miss the fix for an HTTP DoS. The system needs HTTP/3 enabled and the server using buffered I/O to be affected. HTTP/3 is a new feature in Windows Server 2022, so in this rare instance, older is better.

The September release includes a fix for a lone security feature bypass in Network Device Enrollment (NDES) Service. An attacker could bypass the service’s cryptographic service provider.

The Low-rated bug is a sandbox escape in Microsoft Edge (Chromium-based) that requires user interaction. However, the CVSS for this bug is 7.7, which Mitre classifies as “High.” Microsoft claims the user interaction involved justifies the Low rating, but I would still treat this as an important update and not delay the rollout.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 11, and we’ll return with details and patch analysis then. Don’t forget - I’ll be premiering the Patch Report webcast tomorrow on our YouTube channel at 9:00 am Central time. I hope you’re able to tune in and check it out. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...

➦ Hacking ☆ thezdi.com

➠ Komplette Nachricht lesen


Zur Startseite

➤ Ähnliche Beiträge für 'The September 2022 Security Update Review'

The April 2022 Security Update Review

vom 672.9 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for April 2022For April, Ad

The August 2022 Security Update Review

vom 652.99 Punkte
It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your nor

The October 2022 Security Update Review

vom 466.51 Punkte
Another Patch Tuesday is here, and Adobe and Microsoft have released their latest crop of new security updates and fixes. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The March 2022 Security Update Review

vom 463.9 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The September 2022 Security Update Review

vom 431.22 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for September 2022 For Sep

The July 2022 Security Update Review

vom 403.55 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

CentOS Blog: CentOS Community newsletter, October 2019 (#1910)

vom 395.86 Punkte
Dear CentOS enthusiast, If you'd like to help out with the process of putting together the newsletter, please see the Contributing section at the end. We're always looking for help! IN THIS EDITION: Releases and updates Events Contributing to the n

The February 2022 Security Update Review

vom 365.45 Punkte
It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The May 2022 Security Update Review

vom 360.24 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

The May 2022 Security Update Review

vom 360.24 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

The November 2022 Security Update Review

vom 346.42 Punkte
Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their la

The June 2022 Security Update Review

vom 332.42 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

Team Security Diskussion über The September 2022 Security Update Review