Microsoft has issued a patch for an actively exploited privilege-escalation Windows vulnerability, along with 84 other bugs, in its October regularly scheduled security update.
The important-severity flaw (CVE-2022-41033) exists in the Windows COM+ Event System service - which is an automated system that stores event information from various publishers in the Component Object Model (COM+) catalog, according to Microsoft - and could allow an attacker to gain SYSTEM privileges. While Microsoft confirmed that exploitation for the flaw has been detected, it did not disclose further details about the breadth and scope of exploitation.
The flaw’s attack vector is listed as local, meaning that a threat actor would need to rely on user interaction, or access the target system locally, in order to exploit it. However, the flaw’s attack complexity, and privileges required, are classified as low. Dustin Childs, with Trend Micro’s Zero Day Initiative, said that the privilege-escalation flaw would likely be paired “with other code execution exploits designed to take over a system.”
“These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website,” said Childs in a Tuesday analysis.
Beyond CVE-2022-41033, out of the 85 flaws patched in Microsoft’s update, 15 were rated critical, while 69 were rated important. One vulnerability publicly disclosed in the October release was a critical severity Windows CryptoAPI spoofing flaw (CVE-2022-34689) that was reported by the National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC), which could allow an attacker to manipulate an existing public x.509 certificate to spoof their identify and perform actions - like authentication or code signing - as the targeted certificate. The flaw advisory was fixed quietly in August and listed as an "informational change only" as part of Microsoft's October security updates.
Other notable bugs in the update include a critical-severity, privilege-elevation flaw (CVE-2022-37968) in Azure Arc Connect. Despite the flaw’s high CVSS score of 10 out of 10, exploitation is classified as “less likely;” Microsoft said that an attacker would need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster in order to exploit this vulnerability from the internet.
“Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters,” according to Microsoft’s advisory. “This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.”
Another notable critical-severity vulnerability is a Microsoft SharePoint flaw (CVE-2022-41038), which could allow an attacker with Manage List permissions to launch a network-based attack in order to execute code remotely on the SharePoint server. Microsoft said that exploitation for the flaw is “more likely,” but an attacker must first be authenticated to the target site in order to exploit the bug, with the permission to use Manage Lists within SharePoint.
Two known, exploited Exchange flaws uncovered two weeks ago were missing from Microsoft’s update. The two flaws (CVE-2022-41040 and CVE-2022-41082), which emerged publicly Sept. 29, have been exploited by attackers in “limited, targeted attacks,” Microsoft has confirmed. On Tuesday, Microsoft's Exchange team urged users to apply the available mitigations for the flaw and said that it plans to release updates for the flaws “when they are ready.”