It’s the second Tuesday of the month, which means that Windows users are looking towards Microsoft in hopes that some of the flaws they’ve been struggling with will finally get fixed. We’ve already provided the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again. For September, Microsoft released 64 new patches, which is a lot more than some people were expecting right as the summer ended. These software updates address CVEs in:
Microsoft Windows and Windows Components Azure and Azure Arc .NET and Visual Studio and .NET Framework Microsoft Edge (Chromium-based) Office and Office Components Windows Defender Linux Kernel
September comes with 64 new security updates
We consider that it’s safe to say that this wasn’t either the busiest or the lightest month for Redmond-based security experts. You might like to know that, out of the 64 new CVEs released, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. Out of all these vulnerabilities, one CVE is listed as publicly known and under active attack at the time of this Patch Tuesday release. The one under active attack, meaning the bug in the Common Log File System (CLFS), allows an authenticated attacker to execute code with elevated privileges. Keep in mind that this type of bug is often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link. And, once they take the bait, additional code executes with elevated privileges to take over a system, and it’s basically checkmate. SPONSORED Microsoft mentioned that out of the Critical-rated updates, there are two for Windows Internet Key Exchange (IKE) Protocol Extensions that could also be classified as wormable. In both cases, only users that are working on systems running IPSec are affected, so make sure you remember that. Furthermore, we are also looking at two Critical-rated vulnerabilities in Dynamics 365 that could allow an authenticated user to perform SQL injection attacks and execute commands as db_owner within their Dynamics 356 database. Let’s move on and look at the seven different DoS vulnerabilities patched this month, including the DNS bug previously mentioned above. The tech giant said that two bugs in the secure channel would allow an attacker to crash a TLS by sending specially crafted packets. Let’s not forget about the DoS in IKE, but unlike the code execution bugs listed above, no IPSec requirements are listed here. The September 2022 rollout includes a fix for a lone security feature bypass in Network Device Enrollment (NDES) Service, where an attacker could bypass the service’s cryptographic service provider. Looking forward, the next Patch Tuesday security update rollout will be on the 11th of October, which is a bit sooner than some expected it. Have you found any other issues after installing this month’s security updates? Share your opinion in the comments section below.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ