Microsoft Fixes Two Zero-Days This Patch Tuesday

  • Microsoft released fixes for over 60 CVEs this month including two zero-day vulnerabilities, one of which is being actively exploited in the wild.

    The latter is an elevation of privilege vulnerability in Windows Common Log File System Driver (CVE-2022-37969), which affects all Windows versions and could enable attackers to gain system privileges.

    “The attack does require the attacker to have access and ability to run code on the target system, but chaining multiple vulnerabilities in an attack is common enough practice that this should be considered a minor barrier for threat actors,” explained Ivanti VP of security products, Chris Goettl.

    “The vulnerability is rated as ‘important,’ but with multiple vendors acknowledged for the coordinated disclosure and confirmed exploits in the wild it should be treated as a ‘critical’ severity due to the risk. Exploitation has already been detected and additional information could have been disclosed making it easier for additional attackers to take advantage of the vulnerability.”

    The second publicly disclosed bug is found in in ARM-based Windows 11 systems and could allow cache speculation restriction (CVE-2022-23960). Known as Spectre-BHB, it could be described as a side-channel speculation vulnerability in ARM processors.

    This month’s Patch Tuesday update round has seen Microsoft pass 1000 CVEs for the year, putting the company on track to exceed the 1200 it fixed in 2021, according to Qualys.

    There are a total of five critical patches for sysadmins to consider this month, including remote code execution bugs CVE-2022-34722 and CVE-2022-34721, which impact Windows Internet Key Exchange (IKE) Protocol Extensions. Both have a CVSS score of 9.8.

    “They both have low complexity for exploitation and allow threat actors to perform the attack with no user interaction. An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable remote code execution,” warned Action1 co-founder, Mike Walters.

    “This vulnerability impacts only IKEv1 and not IKEv2. However, all Windows Servers are affected because they accept both V1 and V2 packets. There is no exploit or proof-of-concept detected in the wild yet, but installing the fix is highly advisable.”