Microsoft today released patches for 96 vulnerabilities. 13 patches are rated as critical, 71 as important and 1 as moderate. The Chromium vulnerabilities affecting Microsoft Edge have no rating.
Most notable is the patch that is not included. We do not have a patch for the current Exchange vulnerability.
One vulnerability, CVE-2022-41003, a Windows COM+ Event System Service Elevation of Privilege Vulnerability, is already being exploited.
CVE-2022-41043, a Microsoft Office Information Disclosure Vulnerability, was made public before the patch was released.
Several vulnerabilities in Windows Point-to-Point Tunneling Protocol were rated critical and may lead to code execution. One vulnerability, an elevation of privilege vulnerability in Azure Arc-enabled Kubernetes cluster Connect was rated with a perfect 10.0 CVSS score.
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| Active Directory Certificate Services Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37976%% | No | No | Less Likely | Less Likely | Critical | 8.8 | 7.7 |
| Active Directory Domain Services Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38042%% | No | No | Less Likely | Less Likely | Important | 7.1 | 6.2 |
| Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37968%% | No | No | Less Likely | Less Likely | Critical | 10.0 | 8.7 |
| Chromium: CVE-2022-3304 Use after free in CSS | |||||||
| %%cve:2022-3304%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3307 Use after free in Media | |||||||
| %%cve:2022-3307%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools | |||||||
| %%cve:2022-3308%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs | |||||||
| %%cve:2022-3310%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3311 Use after free in Import | |||||||
| %%cve:2022-3311%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3313 Incorrect security UI in Full Screen | |||||||
| %%cve:2022-3313%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3315 Type confusion in Blink | |||||||
| %%cve:2022-3315%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing | |||||||
| %%cve:2022-3316%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents | |||||||
| %%cve:2022-3317%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3370 Use after free in Custom Elements | |||||||
| %%cve:2022-3370%% | No | No | – | – | – | ||
| Chromium: CVE-2022-3373 Out of bounds write in V8 | |||||||
| %%cve:2022-3373%% | No | No | – | – | – | ||
| Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38021%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.1 |
| Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability | |||||||
| %%cve:2022-38036%% | No | No | Unlikely | Less Likely | Important | 7.5 | 6.5 |
| Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | |||||||
| %%cve:2022-37977%% | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Microsoft DWM Core Library Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37983%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||||
| %%cve:2022-41035%% | No | No | Less Likely | Less Likely | Moderate | 8.3 | 7.5 |
| Microsoft ODBC Driver Remote Code Execution Vulnerability | |||||||
| %%cve:2022-38040%% | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| Microsoft Office Graphics Remote Code Execution Vulnerability | |||||||
| %%cve:2022-38049%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft Office Information Disclosure Vulnerability | |||||||
| %%cve:2022-41043%% | Yes | No | Less Likely | Less Likely | Important | 3.3 | 2.9 |
| Microsoft Office Remote Code Execution Vulnerability | |||||||
| %%cve:2022-38048%% | No | No | Less Likely | Less Likely | Critical | 7.8 | 6.8 |
| Microsoft Office Spoofing Vulnerability | |||||||
| %%cve:2022-38001%% | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||||
| %%cve:2022-41036%% | No | No | More Likely | More Likely | Important | 8.8 | 7.7 |
| %%cve:2022-41037%% | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| %%cve:2022-38053%% | No | No | More Likely | More Likely | Important | 8.8 | 7.7 |
| %%cve:2022-41038%% | No | No | Less Likely | More Likely | Critical | 8.8 | 7.7 |
| Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | |||||||
| %%cve:2022-37982%% | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| %%cve:2022-38031%% | No | No | Unlikely | Less Likely | Important | 8.8 | 7.7 |
| Microsoft Windows Defender Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37971%% | No | No | Less Likely | Less Likely | Important | 7.1 | 6.2 |
| Microsoft Word Remote Code Execution Vulnerability | |||||||
| %%cve:2022-41031%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| NuGet Client Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-41032%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Server Service Remote Protocol Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38045%% | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| Service Fabric Explorer Spoofing Vulnerability | |||||||
| %%cve:2022-35829%% | No | No | Less Likely | Less Likely | Important | 6.2 | 5.4 |
| StorSimple 8000 Series Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38017%% | No | No | Less Likely | Less Likely | Important | 6.8 | 5.9 |
| Visual Studio Code Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-41083%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Visual Studio Code Information Disclosure Vulnerability | |||||||
| %%cve:2022-41042%% | No | No | Less Likely | Less Likely | Important | 7.4 | 6.4 |
| Visual Studio Code Remote Code Execution Vulnerability | |||||||
| %%cve:2022-41034%% | No | No | – | – | Important | 7.8 | 6.8 |
| Web Account Manager Information Disclosure Vulnerability | |||||||
| %%cve:2022-38046%% | No | No | Less Likely | Less Likely | Important | 6.2 | 5.4 |
| Win32k Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38050%% | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| Windows ALPC Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38029%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.1 |
| Windows Active Directory Certificate Services Security Feature Bypass | |||||||
| %%cve:2022-37978%% | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| Windows CD-ROM File System Driver Remote Code Execution Vulnerability | |||||||
| %%cve:2022-38044%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows COM+ Event System Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-41033%% | No | Yes | More Likely | Detected | Important | 7.8 | 6.8 |
| Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37987%% | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37989%% | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| Windows CryptoAPI Spoofing Vulnerability | |||||||
| %%cve:2022-34689%% | No | No | More Likely | More Likely | Critical | 7.5 | 6.5 |
| Windows DHCP Client Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37980%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows DHCP Client Information Disclosure Vulnerability | |||||||
| %%cve:2022-38026%% | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows DWM Core Library Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37970%% | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| Windows Distributed File System (DFS) Information Disclosure Vulnerability | |||||||
| %%cve:2022-38025%% | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows Event Logging Service Denial of Service Vulnerability | |||||||
| %%cve:2022-37981%% | No | No | Less Likely | Less Likely | Important | 4.3 | 3.8 |
| Windows GDI+ Remote Code Execution Vulnerability | |||||||
| %%cve:2022-33635%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38051%% | No | No | More Likely | More Likely | Important | 7.8 | 7.0 |
| %%cve:2022-37997%% | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| Windows Graphics Component Information Disclosure Vulnerability | |||||||
| %%cve:2022-37985%% | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows Group Policy Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37975%% | No | No | More Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Group Policy Preference Client Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37999%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37993%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37994%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Hyper-V Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37979%% | No | No | Less Likely | Less Likely | Critical | 7.8 | 6.8 |
| Windows Kernel Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38022%% | No | No | Less Likely | Less Likely | Important | 2.5 | 2.2 |
| %%cve:2022-37988%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-38037%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-38038%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37990%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-38039%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37991%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| %%cve:2022-37995%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Kernel Memory Information Disclosure Vulnerability | |||||||
| %%cve:2022-37996%% | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38016%% | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| Windows Local Session Manager (LSM) Denial of Service Vulnerability | |||||||
| %%cve:2022-37998%% | No | No | Less Likely | Less Likely | Important | 7.7 | 6.7 |
| %%cve:2022-37973%% | No | No | Less Likely | Less Likely | Important | 7.7 | 6.7 |
| Windows Mixed Reality Developer Tools Information Disclosure Vulnerability | |||||||
| %%cve:2022-37974%% | No | No | More Likely | More Likely | Important | 6.5 | 5.7 |
| Windows NTLM Spoofing Vulnerability | |||||||
| %%cve:2022-35770%% | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability | |||||||
| %%cve:2022-37965%% | No | No | Less Likely | Less Likely | Important | 5.9 | 5.2 |
| Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | |||||||
| %%cve:2022-30198%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| %%cve:2022-22035%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| %%cve:2022-24504%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| %%cve:2022-33634%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| %%cve:2022-38047%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| %%cve:2022-38000%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.3 |
| %%cve:2022-41081%% | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | |||||||
| %%cve:2022-38032%% | No | No | Unlikely | Less Likely | Important | 5.9 | 5.2 |
| Windows Print Spooler Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38028%% | No | No | Less Likely | More Likely | Important | 7.8 | 6.8 |
| Windows Resilient File System Elevation of Privilege | |||||||
| %%cve:2022-38003%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Secure Channel Denial of Service Vulnerability | |||||||
| %%cve:2022-38041%% | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| Windows Security Support Provider Interface Information Disclosure Vulnerability | |||||||
| %%cve:2022-38043%% | No | No | More Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability | |||||||
| %%cve:2022-38033%% | No | No | Less Likely | Less Likely | Important | 6.5 | 5.9 |
| Windows Storage Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38027%% | No | No | More Likely | Less Likely | Important | 7.0 | 6.1 |
| Windows TCP/IP Driver Denial of Service Vulnerability | |||||||
| %%cve:2022-33645%% | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| Windows USB Serial Driver Information Disclosure Vulnerability | |||||||
| %%cve:2022-38030%% | No | No | Less Likely | Less Likely | Important | 4.3 | 3.8 |
| Windows WLAN Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37984%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Win32k Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-37986%% | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Workstation Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2022-38034%% | No | No | Less Likely | Less Likely | Important | 4.3 | 3.8 |
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
