Another Patch Tuesday is here, and Adobe and Microsoft have released their latest crop of new security updates and fixes. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for October 2022
For October, Adobe released four patches addressing 29 vulnerabilities in Adobe Acrobat and Reader, ColdFusion, Commerce and Magento, and Adobe Dimension. A total of 22 of these bugs were reported through the ZDI program. The fix for ColdFusion seems to be the most critical, with multiple CVSS 9.8 code execution bugs being addressed. There’s also a fix for a bug in the Admin Component service. The service uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Hard to imagine hard-coded credentials have existed in the product for so long without being discovered.
The Commerce and Magento update addresses only one bug, but it’s a CVSS 10. If you’re using either of these products, ensure you test and deploy this quickly to fix the stored cross-site scripting (XSS) bug. The patch for Acrobat and Reader fixes six bugs, with the most severe being stack-based buffer overflows that could lead to code execution. A threat actor would need to trick someone into opening a specially crafted PDF to get arbitrary code exec. The fix for Dimension corrects nine bugs, eight of which are rated critical. Most of these are file parsing bugs and would require user interaction to exploit.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for October 2022
This month, Microsoft released 85 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS). This is in addition to the 11 CVEs patched in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors. That brings the total number of CVEs to 96. Six of these CVEs were submitted through the ZDI program.
What may be more interesting is what isn’t included in this month’s release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates.
Of the 85 new patches released today, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. This volume is somewhat in line with what we’ve seen in previous October releases, but it does put Microsoft on track to exceed its 2021 total. If that happens, 2022 would the second busiest year for Microsoft CVEs. One of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2022-41033 – Windows COM+ Event System Service Elevation of Privilege Vulnerability
This patch fixes a bug that Microsoft lists as being used in active attacks, although they specify how broad these attacks may be. Since this is a privilege escalation bug, it is likely paired with other code execution exploits designed to take over a system. These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during “Cyber Security Awareness Month”, people tend to click everything, so test and deploy this fix quickly.
- CVE-2022-37987/CVE-2022-37989 – Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
These bugs were reported by ZDI Sr. Vulnerability Researcher Simon Zuckerbraun and pertain to the behavior of the CSRSS process when it searches for dependencies. CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation. This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location. We’ll publish additional details about these bugs on our blog in the future.
- CVE-2022-37968 – Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
This vulnerability could allow an attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. Still, this bug receives the rare CVSS 10 rating – the highest severity rating the system allows. If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.
- CVE-2022-38048 – Microsoft Office Remote Code Execution Vulnerability
This bug was reported to the ZDI by the researcher known as “hades_kito” and represents a rare Critical-rated Office bug. Most Office vulnerabilities are rated Important since they involve user interaction – typically opening a file. An exception to that is when the Preview Pane is an attack vector, however, Microsoft states that isn’t the case here. Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible.
Here’s the full list of CVEs released by Microsoft for October 2022:
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the rest of the Critical-rated patches, the update for Active Directory Certificate Services (ADCS) stands out the most as successful exploitations would provide the attacker domain administrative privileges. However, exploiting this would be tricky. A malicious DCOM client would need to trick a DCOM server to authenticate to it through ADCS and then use the credential to launch a cross-protocol attack. There are seven Critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP). If you’re still using this, consider migrating to a more modern (and secure) solution. There’s a fix for a guest-to-host escape in Hyper-V that could result in the attacker executing code on the root OS. In addition to the one mentioned above, there are two other Critical-rated bugs impacting Office components. Neither have a Preview Pane attacker vector, so it’s not clear why the Critical rating applies. Speaking of confusing, there’s a Critical fix for SharePoint that reads identical to the Important-rated SharePoint fixes. Microsoft offers no clarity on why this bug is different.
There are only nine other fixes for remote code execution vulnerabilities, including three for SharePoint that have the same description as the Critical-rated SharePoint bugs already mentioned. There are two patches for the WDAC OLE DB provider for SQL Server and one for the ODBC Driver itself. There’s a fix for an RCE in Visual Studio Code, but no details are provided on what the attack scenario would be. That’s not the case for the GDI+ bug. An attacker would need to convince a user to browse to a malicious website or open a specially crafted file to get code execution. Finally, former Pwn2Own winner Bien Pham from Team Orca of Sea Security reported a code execution bug in the CD-ROM driver through the ZDI program. It’s an integer overflow that could lead to an out-of-bound write on kernel heap memory. In this case, an attacker would need to convince someone to open a malicious .iso file, which does seem a bit unlikely.
A total of 39 bugs in this release are Elevation of Privilege (EoP) bugs, including those mentioned above. The majority of these require an authenticated user to run specially crafted code on an affected system, but there are a few that stand out. The first is the patch for the print spooler. While we’re certainly used to spooler updates by now, this one was reported by the National Security Agency (NSA). The EoP in the Workstation service requires privileges, but it can be reached remotely. An attacker could execute RPC functions that are normally restricted to the local client. You would also need to be authenticated to send malicious RPC calls to the DHCP service to escalate to SYSTEM. The bug in Active Directory Domain Services could allow an attacker to get domain administrator privileges, but Microsoft offers no details on how that would occur. The NuGet package manager for .NET receives a fix impacting multiple NuGet versions. The fix for Visual Studio Code contains an …uh… interesting workaround:
“Create a folder C:\ProgramData\jupyter\kernels\ and configure it to be writable only by the current user.”
It’s not clear why this prevents the attack, but Microsoft claims it will. Lastly, the EoP in the Local Security Authority (LSA) could lead to a sandbox escape.
The October release includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known. Most of the other info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents. There are a couple of notable exceptions. The bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud. The patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system. The final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.
There are two patches for Security Features Bypass (SFB) vulnerabilities this month, and the first requires physical access. On systems with outdated USB controller hardware, a Group Policy might have silently failed, which would leave the Windows Portable Device Enumerator Service open to attacks that rely on inserting a USB storage device. The SFB bug in Active Directory Certificate Services requires a Man-in-the-Middle (MiTM) and applies to Windows Challenge/Response (NTLM) authentication.
Eight different DoS vulnerabilities are patched this month. Probably the most interesting is the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction. Microsoft states systems with IPv6 disabled aren’t affected, but IPv6 comes enabled by default on most systems these days. Microsoft provides no further details about the seven other DoS patches.
The October release is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based). The most interesting is the Critical-rated fix for the Windows CryptoAPI. This bug could allow an attacker to spoof an existing public x.509 certificate to authenticate or sign code as the targeted certificate. I’m sure malware authors will definitely try to use this one in the near future. There’s also a store cross-site scripting (XSS) bug in the Service Fabric Explorer. If you’re using this, you need to ensure you are on the latest version by following these instructions. No additional details are provided about the spoofing bugs in Office or NTLM.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday falls on November 8, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!