Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

  • As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild.

    Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues have been listed as publicly known at the time of the release.

    It’s worth noting that the 121 security flaws are in addition to 25 shortcomings the tech giant addressed in its Chromium-based Edge browser late last month and the previous week.

    Topping the list of patches is CVE-2022-34713 (CVSS score: 7.8), a case of remote code execution affecting the Microsoft Windows Support Diagnostic Tool (MSDT), making it the second flaw in the same component after Follina (CVE-2022-30190) to be weaponized in real-world attacks within three months.

    The vulnerability is also said to be a variant of the flaw publicly known as DogWalk, which was originally disclosed by security researcher Imre Rad in January 2020.

    “Exploitation of the vulnerability requires that a user open a specially crafted file,” Microsoft said in an advisory. “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.”

    Alternatively, an attacker could host a website or leverage an already compromised site that contains a malware-laced file designed to exploit the vulnerability, and then trick potential targets into clicking on a link in an email or an instant message to open the document.

    “This is not an uncommon vector and malicious documents and links are still used by attackers to great effect,” Kev Breen, director of cyber threat research at Immersive Labs, said. “It underscores the need for upskilling employees to be wary of such attacks.”

    CVE-2022-34713 is one of the two remote code execution flaws in MSDT closed by Redmond this month, the other being CVE-2022-35743 (CVSS score: 7.8). Security researchers Bill Demirkapi and Matt Graeber have been credited with reporting the vulnerability.

    Microsoft also resolved three privilege escalation flaws in Exchange Server that could be abused to read targeted email messages and download attachments (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516) and one publicly-known information disclosure vulnerability (CVE-2022-30134) in Exchange which could as well lead to the same impact.

    “Administrators should enable Extended Protection in order to fully remediate this vulnerability,” Greg Wiseman, product manager at Rapid7, commented about CVE-2022-30134.

    The security update further remediates multiple remote code execution flaws in Windows Point-to-Point Protocol (PPP), Windows Secure Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Office, and Windows Hyper-V.

    The Patch Tuesday fix is also notable for addressing dozens of privilege escalation flaws: 31 in Azure Site Recovery, a month after Microsoft squashed 30 similar bugs in the business continuity service, five in Storage Spaces Direct, three in Windows Kernel, and two in the Print Spooler module.

    Software Patches from Other Vendors

    Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

    • Adobe
    • AMD
    • Android
    • Apache Projects
    • Cisco
    • Citrix
    • Dell
    • F5
    • Fortinet
    • GitLab
    • Google Chrome
    • HP
    • IBM
    • Intel
    • Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
    • MediaTek
    • NVIDIA
    • Qualcomm
    • Samba
    • SAP
    • Schneider Electric
    • Siemens, and
    • VMware

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.