84 vulnerabilities in Microsoft October Patch Tuesday Security bulletin

Microsoft has just released the security bulletin for October month’s ‘Patch Tuesday’ project. The security bulletin shares details of 84 vulnerabilities.

Out of these 84 vulnerabilities there are:

  • 13 CRITICAL vulnerabilities
  • 2 zero-day threats
  • 14 vulnerabilities that are ‘more likely to be exploited’.

We focus our attention on the zero-day threats for the month of October 2022.

Zero day threats in October security update:

CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability

This is a CVSS 7.8 vulnerability with ‘IMPORTANT’ severity rating. It affects Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10 (all versions) and Windows 11 (all versions). The corresponding ‘Server Core’ installation editions are also affected by this vulnerability.

An attacker could assume system privileges upon a successful attack.

CVE-2022-41033 is being already exploited. Installing the October security updates provides protection against this ‘EoP’ or ‘Elevation of Privilege’ attack.

CVE-2022-30134 – Microsoft Exchange Information Disclosure Vulnerability

This is a CVSS 6.5 vulnerability with ‘IMPORTANT’ severity level. CVE-2022-30134 affects the following Microsoft Exchange versions:

  • Microsoft Exchange Server 2019 Cumulative update 11
  • Microsoft Exchange Server 2019 Cumulative update 12
  • Microsoft Exchange Server 2016 Cumulative update 22
  • Microsoft Exchange Server 2016 Cumulative update 23
  • Microsoft Exchange Server 2013 Cumulative update 23

Any authenticated user can cause the security exploitation and read through emails on the Exchange server, thus causing an ‘information disclosure’ impact.

More details about the Exchange Server vulnerability can be found on the Exchange server blog on this page.

CRITICAL vulnerabilities in October Security updates

The following 13 vulnerabilities have CRITICAL severity levels.

VulnerabilityCVSS RatingComments
CVE-2022-220358.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-301988.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-346897.5Windows CryptoAPI Spoofing Vulnerability
CVE-2022-379767.8Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2022-336348.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-245048.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-379797.8Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2022-3796810Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
CVE-2022-410818.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-410388.8Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-380008.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-380487.8Microsoft Office Remote Code Execution Vulnerability
CVE-2022-380478.1Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
October 2022 Patch Tuesday Vulnerabilities

Of these vulnerabilities, the Azure Kubernetes vulnerability has a CVSS score of 10 and needs immediate patching for the Kubernetes cluster on Microsoft Azure cloud platform.

Apart from the above-stated zero-day threats and CRITICAL vulnerabilities, the following vulnerabilities have a high chance of being exploited:

  • CVE-2022-38053 – Microsoft SharePoint Server Remote Code Execution Vulnerability
  • CVE-2022-38051 – Windows Graphics Component Elevation of Privilege Vulnerability
  • CVE-2022-38050 – Win32k Elevation of Privilege Vulnerability
  • CVE-2022-38028 – Windows Print Spooler Elevation of Privilege Vulnerability
  • CVE-2022-37997 – Windows Graphics Component Elevation of Privilege Vulnerability
  • CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
  • CVE-2022-37987 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
  • CVE-2022-37974 – Windows Mixed Reality Developer Tools Information Disclosure Vulnerability
  • CVE-2022-37970 – Windows DWM Core Library Elevation of Privilege Vulnerability
  • CVE-2022-34689 – Windows CryptoAPI Spoofing Vulnerability
  • CVE-2022-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability

Some of these vulnerabilities were detected in the past. However, all these vulnerabilities have received fresh updates as part of the October 11 ‘Patch Tuesday’ updates.

Most of these security issues can be resolved by installing this month’s latest cumulative updates or the latest security updates on the Windows servers and workstations.