October 2022 Microsoft Patch Tuesday, (Tue, Oct 11th)

Microsoft - SuperTinyIcons
Microsoft – SuperTinyIcons

Microsoft today released patches for 96 vulnerabilities. 13 patches are rated as critical, 71 as important and 1 as moderate. The Chromium vulnerabilities affecting Microsoft Edge have no rating.

Most notable is the patch that is not included. We do not have a patch for the current Exchange vulnerability.

One vulnerability, CVE-2022-41003, a Windows COM+ Event System Service Elevation of Privilege Vulnerability, is already being exploited.

CVE-2022-41043, a Microsoft Office Information Disclosure Vulnerability, was made public before the patch was released.

Several vulnerabilities in Windows Point-to-Point Tunneling Protocol were rated critical and may lead to code execution. One vulnerability, an elevation of privilege vulnerability in Azure Arc-enabled Kubernetes cluster Connect was rated with a perfect 10.0 CVSS score.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Active Directory Certificate Services Elevation of Privilege Vulnerability
%%cve:2022-37976%% No No Less Likely Less Likely Critical 8.8 7.7
Active Directory Domain Services Elevation of Privilege Vulnerability
%%cve:2022-38042%% No No Less Likely Less Likely Important 7.1 6.2
Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
%%cve:2022-37968%% No No Less Likely Less Likely Critical 10.0 8.7
Chromium: CVE-2022-3304 Use after free in CSS
%%cve:2022-3304%% No No    
Chromium: CVE-2022-3307 Use after free in Media
%%cve:2022-3307%% No No    
Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools
%%cve:2022-3308%% No No    
Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs
%%cve:2022-3310%% No No    
Chromium: CVE-2022-3311 Use after free in Import
%%cve:2022-3311%% No No    
Chromium: CVE-2022-3313 Incorrect security UI in Full Screen
%%cve:2022-3313%% No No    
Chromium: CVE-2022-3315 Type confusion in Blink
%%cve:2022-3315%% No No    
Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing
%%cve:2022-3316%% No No    
Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents
%%cve:2022-3317%% No No    
Chromium: CVE-2022-3370 Use after free in Custom Elements
%%cve:2022-3370%% No No    
Chromium: CVE-2022-3373 Out of bounds write in V8
%%cve:2022-3373%% No No    
Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
%%cve:2022-38021%% No No Less Likely Less Likely Important 7.0 6.1
Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
%%cve:2022-38036%% No No Unlikely Less Likely Important 7.5 6.5
Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
%%cve:2022-37977%% No No Less Likely Less Likely Important 6.5 5.7
Microsoft DWM Core Library Elevation of Privilege Vulnerability
%%cve:2022-37983%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Edge (Chromium-based) Spoofing Vulnerability
%%cve:2022-41035%% No No Less Likely Less Likely Moderate 8.3 7.5
Microsoft ODBC Driver Remote Code Execution Vulnerability
%%cve:2022-38040%% No No Less Likely Less Likely Important 8.8 7.7
Microsoft Office Graphics Remote Code Execution Vulnerability
%%cve:2022-38049%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Office Information Disclosure Vulnerability
%%cve:2022-41043%% Yes No Less Likely Less Likely Important 3.3 2.9
Microsoft Office Remote Code Execution Vulnerability
%%cve:2022-38048%% No No Less Likely Less Likely Critical 7.8 6.8
Microsoft Office Spoofing Vulnerability
%%cve:2022-38001%% No No Less Likely Less Likely Important 6.5 5.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2022-41036%% No No More Likely More Likely Important 8.8 7.7
%%cve:2022-41037%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-38053%% No No More Likely More Likely Important 8.8 7.7
%%cve:2022-41038%% No No Less Likely More Likely Critical 8.8 7.7
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
%%cve:2022-37982%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-38031%% No No Unlikely Less Likely Important 8.8 7.7
Microsoft Windows Defender Elevation of Privilege Vulnerability
%%cve:2022-37971%% No No Less Likely Less Likely Important 7.1 6.2
Microsoft Word Remote Code Execution Vulnerability
%%cve:2022-41031%% No No Less Likely Less Likely Important 7.8 6.8
NuGet Client Elevation of Privilege Vulnerability
%%cve:2022-41032%% No No Less Likely Less Likely Important 7.8 6.8
Server Service Remote Protocol Elevation of Privilege Vulnerability
%%cve:2022-38045%% No No Less Likely Less Likely Important 8.8 7.7
Service Fabric Explorer Spoofing Vulnerability
%%cve:2022-35829%% No No Less Likely Less Likely Important 6.2 5.4
StorSimple 8000 Series Elevation of Privilege Vulnerability
%%cve:2022-38017%% No No Less Likely Less Likely Important 6.8 5.9
Visual Studio Code Elevation of Privilege Vulnerability
%%cve:2022-41083%% No No Less Likely Less Likely Important 7.8 6.8
Visual Studio Code Information Disclosure Vulnerability
%%cve:2022-41042%% No No Less Likely Less Likely Important 7.4 6.4
Visual Studio Code Remote Code Execution Vulnerability
%%cve:2022-41034%% No No Important 7.8 6.8
Web Account Manager Information Disclosure Vulnerability
%%cve:2022-38046%% No No Less Likely Less Likely Important 6.2 5.4
Win32k Elevation of Privilege Vulnerability
%%cve:2022-38050%% No No More Likely More Likely Important 7.8 6.8
Windows ALPC Elevation of Privilege Vulnerability
%%cve:2022-38029%% No No Less Likely Less Likely Important 7.0 6.1
Windows Active Directory Certificate Services Security Feature Bypass
%%cve:2022-37978%% No No Less Likely Less Likely Important 7.5 6.5
Windows CD-ROM File System Driver Remote Code Execution Vulnerability
%%cve:2022-38044%% No No Less Likely Less Likely Important 7.8 6.8
Windows COM+ Event System Service Elevation of Privilege Vulnerability
%%cve:2022-41033%% No Yes More Likely Detected Important 7.8 6.8
Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
%%cve:2022-37987%% No No More Likely More Likely Important 7.8 6.8
%%cve:2022-37989%% No No More Likely More Likely Important 7.8 6.8
Windows CryptoAPI Spoofing Vulnerability
%%cve:2022-34689%% No No More Likely More Likely Critical 7.5 6.5
Windows DHCP Client Elevation of Privilege Vulnerability
%%cve:2022-37980%% No No Less Likely Less Likely Important 7.8 6.8
Windows DHCP Client Information Disclosure Vulnerability
%%cve:2022-38026%% No No Less Likely Less Likely Important 5.5 4.8
Windows DWM Core Library Elevation of Privilege Vulnerability
%%cve:2022-37970%% No No More Likely More Likely Important 7.8 6.8
Windows Distributed File System (DFS) Information Disclosure Vulnerability
%%cve:2022-38025%% No No Less Likely Less Likely Important 5.5 4.8
Windows Event Logging Service Denial of Service Vulnerability
%%cve:2022-37981%% No No Less Likely Less Likely Important 4.3 3.8
Windows GDI+ Remote Code Execution Vulnerability
%%cve:2022-33635%% No No Less Likely Less Likely Important 7.8 6.8
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2022-38051%% No No More Likely More Likely Important 7.8 7.0
%%cve:2022-37997%% No No More Likely More Likely Important 7.8 6.8
Windows Graphics Component Information Disclosure Vulnerability
%%cve:2022-37985%% No No Less Likely Less Likely Important 5.5 4.8
Windows Group Policy Elevation of Privilege Vulnerability
%%cve:2022-37975%% No No More Likely Less Likely Important 7.8 6.8
Windows Group Policy Preference Client Elevation of Privilege Vulnerability
%%cve:2022-37999%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37993%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37994%% No No Less Likely Less Likely Important 7.8 6.8
Windows Hyper-V Elevation of Privilege Vulnerability
%%cve:2022-37979%% No No Less Likely Less Likely Critical 7.8 6.8
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2022-38022%% No No Less Likely Less Likely Important 2.5 2.2
%%cve:2022-37988%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-38037%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-38038%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37990%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-38039%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37991%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37995%% No No Less Likely Less Likely Important 7.8 6.8
Windows Kernel Memory Information Disclosure Vulnerability
%%cve:2022-37996%% No No Less Likely Less Likely Important 5.5 4.8
Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
%%cve:2022-38016%% No No Less Likely Less Likely Important 8.8 7.7
Windows Local Session Manager (LSM) Denial of Service Vulnerability
%%cve:2022-37998%% No No Less Likely Less Likely Important 7.7 6.7
%%cve:2022-37973%% No No Less Likely Less Likely Important 7.7 6.7
Windows Mixed Reality Developer Tools Information Disclosure Vulnerability
%%cve:2022-37974%% No No More Likely More Likely Important 6.5 5.7
Windows NTLM Spoofing Vulnerability
%%cve:2022-35770%% No No Less Likely Less Likely Important 6.5 5.7
Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability
%%cve:2022-37965%% No No Less Likely Less Likely Important 5.9 5.2
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
%%cve:2022-30198%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2022-22035%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2022-24504%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2022-33634%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2022-38047%% No No Less Likely Less Likely Critical 8.1 7.1
%%cve:2022-38000%% No No Less Likely Less Likely Critical 8.1 7.3
%%cve:2022-41081%% No No Less Likely Less Likely Critical 8.1 7.1
Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability
%%cve:2022-38032%% No No Unlikely Less Likely Important 5.9 5.2
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2022-38028%% No No Less Likely More Likely Important 7.8 6.8
Windows Resilient File System Elevation of Privilege
%%cve:2022-38003%% No No Less Likely Less Likely Important 7.8 6.8
Windows Secure Channel Denial of Service Vulnerability
%%cve:2022-38041%% No No Less Likely Less Likely Important 7.5 6.5
Windows Security Support Provider Interface Information Disclosure Vulnerability
%%cve:2022-38043%% No No More Likely Less Likely Important 5.5 4.8
Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability
%%cve:2022-38033%% No No Less Likely Less Likely Important 6.5 5.9
Windows Storage Elevation of Privilege Vulnerability
%%cve:2022-38027%% No No More Likely Less Likely Important 7.0 6.1
Windows TCP/IP Driver Denial of Service Vulnerability
%%cve:2022-33645%% No No Less Likely Less Likely Important 7.5 6.5
Windows USB Serial Driver Information Disclosure Vulnerability
%%cve:2022-38030%% No No Less Likely Less Likely Important 4.3 3.8
Windows WLAN Service Elevation of Privilege Vulnerability
%%cve:2022-37984%% No No Less Likely Less Likely Important 7.8 6.8
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2022-37986%% No No Less Likely Less Likely Important 7.8 6.8
Windows Workstation Service Elevation of Privilege Vulnerability
%%cve:2022-38034%% No No Less Likely Less Likely Important 4.3 3.8


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post