In this issue, you will learn about patches for:
- Most serious Microsoft vulnerabilities
- Windows Common Log File System Driver Elevation of Privilege Vulnerability
- Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability (2 CVEs)
- Windows TCP/IP Remote Code Execution Vulnerability
- Microsoft ODBC Driver Remote Code Execution Vulnerability (5 CVEs)
- Microsoft Defender false ransomware alert
- Microsoft Edge vulnerabilities
- Google Chrome vulnerabilities
- Mozilla Firefox
September Patch Tuesday includes 63 fixed vulnerabilities from Microsoft, the fewest this year and almost 50% fewer than the August release. There are patches for 5 critical vulnerabilities (70% less); two of them are zero-days: one that is for the Windows ARM architecture and one that is being actively exploited in the wild. Here are details on the exploited zero-day and on the critical updates that need your attention.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
The actively exploited zero-day vulnerability, CVE-2022-37969 or Windows Common Log File System Driver Elevation of Privilege Vulnerability, has a CVSS score of 7.8. This is not the highest possible score because the vulnerability can be exploited only locally; an attacker must already have access to a system and the ability to run code there. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges. No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats. It’s recommended that you deploy the patch as soon as possible.
Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability (2 CVEs)
CVE-2022-34722 and CVE-2022-34721 are both called Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability and both have a CVSS score 9.8, making them critical vulnerabilities. They both have low complexity for exploitation and allow threat actors to perform the attack with no user interaction. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable remote code execution. This vulnerability impacts only IKEv1 and not IKEv2; however, all Windows Servers are affected because they accept both v1 and v2 packets. There is no exploit or PoC detected in the wild yet; however, installing the fix promptly is highly advisable.
Windows TCP/IP Remote Code Execution Vulnerability
Windows TCP/IP Remote Code Execution Vulnerability, tracked as CVE-2022-34724, is a critical vulnerability that is more likely than the previous ones to be exploited. It is a network attack with low complexity, but it affects only systems that are running the IPsec service, so if a system doesn’t need the IPsec service, disable it as soon as possible. The attack can be successful when an adversary sends a specially crafted IPv6 packet to a Windows node where IPsec is enabled and performs remote code execution (RCE). This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have.
Microsoft ODBC Driver Remote Code Execution Vulnerability (5 CVEs)
Five CVEs are related to ODBC Driver RCE: CVE-2022-34727, CVE-2022-34730, CVE-2022-34734, CVE-2022-34732 and CVE-2022-34726. It is a network attack with a CVSS score of 8.8. It is low-complexity vulnerability to exploit and requires user interaction. An attacker could exploit the vulnerability by tricking an authenticated user into opening a malicious MDB file in Microsoft Access via ODBC, which could result in the attacker being able to execute arbitrary code on the victim’s machine with the permission level at which the database is running. It is relevant not only for companies that use MS Access to store confidential data — if your SQL or Oracle database uses the ODBC interface, your data is also vulnerable, so installing the update is required.
After an update in the beginning of September, Microsoft Defender began identifying Google Chrome, Microsoft Edge, Discord and other Electron apps as a Hive ransomware every time they open in Windows. The problem began with Defender signature update 1.373.1508.0, which included two new threat detections, including Behavior:Win32/Hive.ZY. False positives were spotted by a fair number of users.Microsoft tried to defeat the problem by releasing one patch and then another, but they didn’t help.
Finally, few days after the problem appeared, the Microsoft Defender security analytics update version 1.373.1537.0 release eliminated the false positives. Users are advised to update to the latest version.
Microsoft fixed three high-severity vulnerabilities in the newest version of its Edge browser, v104.0.1293.47:
- Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (CVE-2022-33636)
- Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability (CVE-2022-33649)
- Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability (CVE-2022-35796)
The first and third of these have high complexity and require user interaction, while the middle one has low complexity. All three vulnerabilities require an attacker to host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view that website, through a phishing attack or other technique. An attacker has no way to force a user to view the website.
In Chrome 104, 11 vulnerabilities were fixed — including the fifth zero-day in 2022, which has been used in attacks. The new zero-day, tracked as CVE-2022-2856, has high severity. It is related to insufficient validation of unreliable input data in the Intents component. It allows an attacker to bypass all layers of browser protection and execute code on a system outside the sandbox environment. The only detail that has been disclosed is that the vulnerability is related to a use-after-free problem in the Federated Credential Management (FedCM) API for creating federated identity services to preserve confidentiality without cross-site tracking mechanisms like third-party cookies.
Other patched vulnerabilities include issues with accessing already freed memory in the Swiftshader rendering system, Blink engine, OS shell, linking of Chrome login to Google services, and ANGLE layer. In addition, there are updates that fix buffer overflows in the code to manage downloads, bugs in the Extensions API, and incorrect input validation in the mechanism for calling applications from web pages (Intents).
Chrome 105 contains fixes for 24 vulnerabilities. Google has not provided information regarding the use of any of the patched vulnerabilities in actual attacks.
Nine of the fixes address use-after-free vulnerabilities, the most important of which is a critical flaw in the Network Service component; five of the others affect browser components such as WebSQL, Layout, PhoneHub, and the browser tag.
The update also fixes 13 post-release and heap buffer overflow usage bugs. The serious vulnerabilities include a heap buffer overflow in Screen Capture, a problematic implementation in Site Isolation, and insufficient validation of unreliable input data in V8. The medium severity vulnerabilities include heap buffer overflow bugs, two post-release usage issues, two inadequate policy enforcement bugs, and two inadequate implementation issues.
Google also released an emergency update to Chrome 105 to fix its sixth zero-day bug this year. The fixed bug is a high severity vulnerability caused by insufficient data validation in Mojo, a set of runtime libraries that implement messaging across arbitrary inter-process and intra-process boundaries. Google states that an exploit for CVE-2022-3075 exists in the wild, but information about the exploit will be restricted until most users have rolled out the patch. Accordingly, updating the Google Chrome browser as soon as possible is highly recommended.
Mozilla has updated Firefox and Firefox Extended Support Release (ESR). The update fixes six vulnerabilities, four of which are of high severity. These include two critical bugs, CVE-2022-38477 and CVE-2022-38478, that are described as serious memory security flaws in the browser engine that could lead to memory corruption and arbitrary code execution. An attacker who gets a victim to visit a specially crafted website can execute arbitrary code in a vulnerable system or cause a denial of service.
The new Firefox 104 also fixes a serious address bar spoofing issue related to XSLT error handling. The vulnerability, tracked as CVE-2022-38472, can be used for phishing. Another fix addresses CVE-2022-38473, which is also related to XSLT documents from various sources that could pose security and privacy risks. The bulletin states: “A cross-origin iframe referencing an XSLT document would inherit the parent domain’s permissions (such as microphone or camera access).”
Two low-severity bugs have also been fixes. CVE-2022-38474 allows recording of audio without displaying an audio notification, and CVE-2022-38475 allows writing a value to an array of zero length. The low rating is due to the fact that the attacker has no way to bypass the permission request.
So far, Mozilla is unaware of any attacks exploiting any of these vulnerabilities in the wild.
Although Chrome is the web browser most commonly targeted, attackers are not ignoring Firefox, so it is recommended to install the update promptly. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations familiarize themselves with Mozilla’s recommendations and install the necessary patches.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
Get started today and use Action1 on 100 endpoints free of charge with no functionality limitations.