It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your normal activities and join us as we review the details of their latest patches and updates.
Adobe Patches for August 2022
For August, Adobe addressed 25 CVEs in five patches for Adobe Acrobat and Reader, Commerce, Illustrator, FrameMaker, and Adobe Premier Elements. A total of 13 of these bugs were reported through the ZDI program. The update for Acrobat and Reader addresses three Critical-rated and four Important-rated bugs. The critical vulnerabilities could allow code execution if an attacker could convince a user to open a specially crafted file. There are also seven total fixes for Commerce, including four Critical-rated bugs. Two of these could allow code execution and two could lead to a privilege escalation. The XML injection bug fixed by this has the highest CVSS of Adobe’s release at 9.1. The patch for Illustrator contains two Critical and two Important fixes for bugs submitted by ZDI Security Researcher Mat Powell. The most severe could lead to code execution when opening a specially crafted file. Mat is also responsible for the six FrameMaker bugs, five of which could lead to code execution. Finally, there’s a single Critical-rated CVE in the Premier Elements patch resulting from an uncontrolled search path element.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2.
Microsoft Patches for August 2022
This month, Microsoft released 121 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure Batch Node Agent, Real Time Operating System, Site Recovery, and Sphere; Microsoft Dynamics; Microsoft Edge (Chromium-based); Exchange Server; Office and Office Components; PPTP, SSTP, and Remote Access Service PPTP; Hyper-V; System Center Operations Manager; Windows Internet Information Services; Print Spooler Components; and Windows Defender Credential Guard. This is in addition to the 17 CVEs patched in Microsoft Edge (Chromium-based) and three patches related to secure boot from CERT/CC. That brings the total number of CVEs to 141. A total of eight of these bugs were reported through the ZDI, including some (but not all) of the bugs reported during the last Pwn2Own.
The volume of fixes released this month is markedly higher than what is normally expected in an August release. It’s almost triple the size of last year’s August release, and it’s the second largest release this year.
Of the 121 new CVEs released today, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of these bugs are listed as publicly known, and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the MSDT bug under active attack:
- CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
This is not the first time an MSDT bug has been exploited in the wild this year. This bug also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document. It’s not clear if this vulnerability is the result of a failed patch or something new. Either way, test and deploy this fix quickly.
- CVE-2022-35804 – SMB Client and Server Remote Code Execution Vulnerability
The server side of this bug would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. Interestingly, this bug only affects Windows 11, which implies some new functionality introduced this vulnerability. Either way, this could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability.
- CVE-2022-21980/24516/24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
I couldn’t pick between these three Critical-rated Exchange bugs, so I’m listing them all. Rarely are elevation of privilege (EoP) bugs rated Critical, but these certainly qualify. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users. They could then read and send emails or download attachments from any mailbox on the Exchange server. Administrators will also need to enable Extended Protection to fully address these vulnerabilities.
- CVE-2022-34715 – Windows Network File System Remote Code Execution Vulnerability
This is now the fourth month in a row with an NFS code execution patch, and this CVSS 9.8 bug could be the most severe of the lot. To exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Microsoft lists this as Important severity, but if you’re using NFS, I would treat it as Critical. Definitely test and deploy this fix quickly.
- CVE-2022-35742 - Microsoft Outlook Denial of Service Vulnerability
This was reported through the ZDI program and is a mighty interesting bug. Sending a crafted email to a victim causes their Outlook application to terminate immediately. Outlook cannot be restarted. Upon restart, it will terminate again once it retrieves and processes the invalid message. It is not necessary for the victim to open the message or to use the Reading pane. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook.
Here’s the full list of CVEs released by Microsoft for August 2022:
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the remaining Critical-rated fixes, many impact older tunneling protocols. There are fixes for Point-to-Point Protocol (PPP), Secure Socket Tunneling Protocol (SSTP), and RAS Point-to-Point Tunneling Protocol – all of which are correcting remote code execution (RCE) bugs. These are older protocols that should be blocked at your perimeter. However, if you’re still using one of these, it’s probably because you need it, so don’t miss these patches. There’s also a Critical-rated Hyper-V guest-to-host bug being patched this month. The update for Azure Batch won’t be automatic. According to Microsoft, “If you are not running Batch Agent version 1.9.27 or later, you need to resize your pools to zero or recreate your pool.” The final Critical-rated patch this month fixes an EoP in Active Directory. An authenticated attacker could manipulate attributes on computer accounts they own or manage and acquire a certificate from AD CS that would allow elevation to SYSTEM. This bug appears similar to other certificate-based vulnerabilities as Microsoft recommends reviewing KB5014754 for additional steps admins can take to protect their systems.
Moving on to other components, August brings 34 updates just for the Azure Site Recovery component. That makes 66 updates for this component in July and August. This month, there are two RCE bugs, one DoS, and 31 EoP vulnerabilities being fixed. All these bugs involve the VMWare-to-Azure scenario. If you use Azure Site Recovery, you will need to update to 9.50 to be protected. Speaking of Azure, there are eight fixes for RTOS GUIX Studio – six RCEs and two info disclosure bugs. It’s not clear if applications built using RTOS will need to recompile their applications after the patches are applied or not, but it wouldn’t be a bad idea. Rounding out the Azure-related bugs is an info disclosure vulnerability in Azure Sphere that could disclose contents of memory, but root privileges are required to exploit this bug, so it won’t be on anyone’s top 10 list.
There are nine other code execution bugs fixed this month, including another bug in MSDT that is not under active attack (yet). There’s also an intriguing RCE bug in the Bluetooth Service, but Microsoft provides little information on how it would be exploited – just that is limited to network adjacent attackers. There are two Office RCEs and four more in Visual Studio. In these cases, the attacker would need to convince a user to open a specially crafted file. The final RCE bugs are both browser-related. The first is in the WebBrowser Control and the other is in Edge (Chromium-based). While the Edge bug is rated Moderate, the CVSS is listed as 8.3. The lowered severity rating is due to required user interaction, but studies have shown that users click on just about any pop-ups they see.
Looking at the six security feature bypass bugs patched this month, highlighted by a CVSS 9.6 bug in Edge that bypasses a dialog feature that asks users to allow the launching of the Microsoft Store application. There’s a vulnerability in Windows Defender Credential Guard that could bypass Kerberos protection. The SFB bug in Excel bypasses the Packager Object Filters feature. The patch for Windows Hello fixes a vulnerability that bypasses the facial recognition security feature. Finally, the bug in the Windows kernel bypasses ASLR – a vital defense-in-depth measure. It would not surprise me to find this bug incorporated into future exploits, as bypassing ASLR would likely make the exploit more reliable.
Moving on to the remaining EoP bugs fixed in August, the first that jump out are the patches for the Print Spooler. Microsoft lists these as an XI of 1, which means they expect exploitation within 30 days. There’s another EoP in Exchange that’s listed as publicly known. An attacker could use it to read targeted emails. One of the patches fixes a privilege escalation in System Center Operations Manager: Open Management Infrastructure (OMI). An attacker could abuse it to manipulate the OMI keytab and gain elevated privileges on the machine. For the most part, the remaining privilege escalation bugs require an attacker to already have the ability to execute code on the target. They can then use one of these bugs to escalate to SYSTEM or some other elevated level.
Most months, the information disclosure patches consist primarily of bugs that only result in leaks consisting of unspecified memory contents. There are a couple of those this month, but the others are much more interesting. There are two bugs in the Windows Defender Credential Guard. Both could allow an attacker to access Kerberos-protected data. The remaining info disclosure fixes are for Exchange and could allow an attacker to read target emails. Again, based on changes made to Exchange this month, admins need to enable Extended Protection to fully remediate these vulnerabilities.
Seven different Denial-of-Service (DoS) vulnerabilities receive fixes this month, including the aforementioned Outlook and Azure Site Recovery bugs. Three others impact the older tunneling protocols mentioned above. The LSA component gets a fix for a DoS bug. This is interesting, as LSA is responsible for writing to security logs. It is feasible that attackers could use this bug to try to cover their tracks after an intrusion. There’s also a fix for the HTTP Protocol Stack (http.sys). In this case, an unauthenticated attacker could send specially crafted packets to shut down the service.
The August release is rounded out by a fix for .NET to prevent a blind XXE attack.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001. The latest updates will be required to install the fixes for the secure boot bugs submitted by CERT/CC.
Looking Ahead
The next Patch Tuesday falls on September 13, and we’ll return with details and patch analysis then. I’ll also be starting a webcast on patch Wednesday to quickly recap the month’s release. You can find it on our YouTube channel. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!