August 9, 2022

Microsoft today released updates to fix a record 141 security vulnerabilities in its Windows operating systems and related software. Once again, Microsoft is patching a zero-day vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows. Redmond also addressed multiple flaws in Exchange Server — including one that was disclosed publicly prior to today — and it is urging organizations that use Exchange for email to update as soon as possible and to enable additional protections.

In June, Microsoft patched a vulnerability in MSDT dubbed “Follina” that had been used in active attacks for at least three months prior. This latest MSDT bug — CVE-2022-34713 — is a remote code execution flaw that requires convincing a target to open a booby-trapped file, such as an Office document. Microsoft this month also issued a different patch for another MSDT flaw, tagged as CVE-2022-35743.

The publicly disclosed Exchange flaw is CVE-2022-30134, which is an information disclosure weakness. Microsoft also released fixes for three other Exchange flaws that rated a “critical” label, meaning they could be exploited remotely to compromise the system and with no help from users. Microsoft says addressing some of the Exchange vulnerabilities fixed this month requires administrators to enable Windows Extended protection on Exchange Servers. See Microsoft’s blog post on the Exchange Server updates for more details.

“If your organization runs local exchange servers, this trio of CVEs warrant an urgent patch,” said Kevin Breen, director of cyber threat research for Immerse Labs. “Exchanges can be treasure troves of information, making them valuable targets for attackers. With CVE-2022-24477, for example, an attacker can gain initial access to a user’s host and could take over the mailboxes for all exchange users, sending and reading emails and documents. For attackers focused on Business Email Compromise this kind of vulnerability can be extremely damaging.”

The other two critical Exchange bugs are tracked as CVE-2022-24516 and CVE-2022-21980. It’s difficult to believe it’s only been a little more than a year since malicious hackers worldwide pounced in a bevy of zero-day Exchange vulnerabilities to remotely compromise the email systems for hundreds of thousands of organizations running Exchange Server locally for email. That lingering catastrophe is reminder enough that critical Exchange bugs deserve immediate attention.

The SANS Internet Storm Center‘s rundown on Patch Tuesday warns that a critical remote code execution bug in the Windows Point-to-Point Protocol (CVE-2022-30133) could become “wormable” — a threat capable of spreading across a network without any user interaction.

“Another critical vulnerability worth mentioning is an elevation of privilege affecting Active Directory Domain Services (CVE-2022-34691),” SANS wrote. “According to the advisory, ‘An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.’ A system is vulnerable only if Active Directory Certificate Services is running on the domain. The CVSS for this vulnerability is 8.8.”

Breen highlighted a set of four vulnerabilities in Visual Studio that earned Microsoft’s less-dire “important” rating but that nevertheless could be vitally important for the security of developer systems.

“Developers are empowered with access to API keys and deployment pipelines that, if compromised, could be significantly damaging to organizations,” he said. “So it’s no surprise they are often targeted by more advanced attackers. Patches for their tools should not be overlooked. We’re seeing a continued trend of supply-chain compromise too, making it vital that we ensure developers, and their tools, are kept up-to-date with the same rigor we apply to standard updates.”

Greg Wiseman, product manager at Rapid7, pointed to an interesting bug Microsoft patched in Windows Hello, the biometric authentication mechanism for Windows 10.  Microsoft notes that the successful exploitation of the weakness requires physical access to the target device, but would allow an attacker to bypass a facial recognition check.

Wiseman said despite the record number of vulnerability fixes from Redmond this month, the numbers are slightly less dire.

“20 CVEs affect their Chromium-based Edge browser and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month),” Wiseman wrote. “As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.”

As it often does on Patch Tuesday, Adobe has also released security updates for many of its products, including Acrobat and Reader, Adobe Commerce and Magento Open Source. More details here.

Please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.


11 thoughts on “Microsoft Patch Tuesday, August 2022 Edition

  1. Bruce

    Month after month Microsoft produce around 100 of these security fixes. One would like to think that Windows 10 is somewhat more secure now than it was when released (?) Surely the attraction of the newer Windows 11, with its no doubt, thousands of yet to be discovered security vulnerabilities, is somewhat less than appealing.

    1. Wayne

      I’m not a Microsoft fanboy nor hater, but I do know that cyber threats are getting more and more sophisticated as time goes one. Ironically, Microsoft has more software vulnerabilities than Linux does, but that’s mainly because many of the threats that effect Windows and Apple computers are made to effect those computers specifically. And since Windows is more common and widely used you have people causing all sorts of problems for its users… which is why Microsoft is forced to produce exponentially greater fixes of security problems as time goes on.

      Linux isn’t bullet proof, but it’s one of the better operating systems in my opinion. You don’t have to be a computer hacker/programmer to use it.

  2. Ghdor

    Microsoft forgot again the official uninstall for internet Explorer 11

  3. Thomas Burchill

    With 100s of fixes needed each month, will the geniuss at Redmond ever realize that most people just need something basic like the old Win7 or XP, instead of the ugly monster Win10 that is more vulnerable to hacking & frequently failed “fixes” ?

    1. Teodor

      Yeyks, some of you people have no clue on what world you are living on. Do you think you, the personal computer user are the main customer of Microsoft? Think again! The main business is corporate and data-center! Millions of servers in tens of thousands of networks worldwide that don’t just do something “basic” but actually take advantage of all the features of the behemoth that the Windows operating system has become. If you need something “basic” as an end user, go buy an Apple – that’s the easiest and most basic experience that you can have. Not to digress, out of the 120 vulnerabilities disclosed this month, over 80% are not addressing issues that a home user might never be concerned about on their home use Windows 10 machine, but rather fixes to features that are being actively used and indispensable to large enterprises, which also pose a threat to the security of those enterprises as hacking groups try to abuse every little corner of those features.

  4. Wayne

    Let me just say that the last update gave me a so called “Black Screen of Death.” I work and take classes in IT though, so I was able to get through it. But what about all the others that went through the same issue?

    1. Catherine

      This patch cause my computer to have a blue screen asking for the 48 digit BitLocker code. I have a Dell. We just spent 6+ hours on the phone with Dell and Microsoft with each side saying that it’s the other side fault. At this point I may just have to start from scratch. I thought that computers were supposed to make life easier. The company that I go to for data recovery won’t even touch my computer…

      1. mealy

        Always. Always. Always. Back up all your DATA before Windows update for any reason.

        Always.

        Always-always.

  5. RK

    Updated my desktop and notebook yesterday, both on 21H2. Restarted fine. No issues so far….

  6. Daniel Meyers

    There are opinions that the Linux operating system is actually less secure than Windows? Is it really so? The reasoning behind the conclusion that Linux is less safe contains glaring logical inconsistencies. We only need to look a little more closely to debunk the myths and find the logical fallacies underlying the following oft-repeated assertions:

    1. Windows is only attacked so much because it has more installations than Linux. Consequently, Linux would be just as vulnerable if it had as many installations.

    2) Open source code is inherently more dangerous, as it is easier for attackers to find security holes.

    3. There are more vulnerability warnings for Linux than for Windows, hence Linux is less secure than Windows.

    4. In the case of the Linux operating system, more time elapses between the discovery of a vulnerability and the release of an appropriate software fix than in the case of Windows.

    The fallacy of statements 3 and 4 is that they ignore the most important indicators to evaluate the security of one operating system compared to another. I am a former cybersecurity professional and now work for a company https://writemypapers4me.net/ helping do my paper for me for cybersecurity students. Trying to characterize security based on a single metric (e.g., how much time passes between breach detection and software correction output) does not yield meaningful results.

Comments are closed.