Microsoft fixed a total of 121 vulnerabilities on Update Tuesday in August. These include 17 vulnerabilities that Microsoft classifies as critical and two 0-day vulnerabilities.
On Patch Day on August 9, Microsoft provided a number of updates that fix 121 vulnerabilities. Microsoft classifies 17 vulnerabilities as critical and the rest, with the exception of two vulnerabilities, as high risk. The gaps affect Windows, Office and last but not least Azure. A Windows vulnerability (CVE-2022-34713) is already being used for attacks. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog – always with an eye on admins who look after company networks.
In short
software | eliminated gaps | classified as critical |
|---|---|---|
Windows | 61 | 13 + a 0-day gap |
Office | 4 | no |
Exchange | 6 | 3 + a 0-day gap |
Azure | 45 | 1 |
browser update
The most recent security update for Edge is version 104.0.1293.47 from August 5th. It is based on Chromium 104.0.5112.81 and fixes several Chromium vulnerabilities. Google released a corresponding security update for Chrome on August 2nd. With its update, Microsoft also closes three edge-specific vulnerabilities, one of which is considered high risk.
Office gaps
Microsoft fixed four vulnerabilities in its Office products in August. Microsoft identifies two as high risk. They are suitable for injecting and executing code (RCE: Remote Code Execution). One of them (CVE-2022-33648) specifically affects Excel. The DoS (Denial of Service) vulnerability CVE-2022-35742 in Outlook is a tough one. If an Outlook user receives an appropriately prepared email, Outlook crashes. This mail does not have to be opened or displayed in the preview. If you restart Outlook, it crashes again. Outlook can only be used again if this e-mail is deleted from the server with another e-mail program or the current update has been installed.
Vulnerabilities in Windows
The majority of vulnerabilities, 61 this month, are spread across the various versions of Windows (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.
Diagnostic tool MSDT under attack again
According to Microsoft, the vulnerability CVE-2022-34713 in the Microsoft Windows Support Diagnostic Tool (MSDT) of all versions of Windows, including Server, is already being used for attacks. An attacker who exploits this vulnerability can gain system privileges. It is reminiscent of the so-called “Follina” vulnerability (CVE-2022-30190) in MSDT, which Microsoft fixed in June. According to Microsoft, however, it is a variant of an MSDT vulnerability discovered two years ago but previously ignored by Microsoft and publicly known as “DogWalk”. A user would need to obtain and open a CAB archive containing a diagnostic configuration file for an attack to succeed.
Critical Windows vulnerabilities
Microsoft has fixed 13 critical vulnerabilities in Windows. Ten of these relate to outdated tunnel protocols: six times the Secure Socket Tunneling Protocol (SSTP) and twice each the Point-to-Point Protocol (PPP) and the RAS Point-to-Point Tunneling Protocol (PPTP). All could be exploited to inject and execute code.
Only Windows 11 affects the RCE vulnerability CVE-2022-35804 in SMB client and server (SMB: Server Message Block – file shares). An attacker could inject code on an SMB server and run it with elevated privileges. In the Hyper-V virtualization solution, an attack could break out of the guest system and execute code on the host (CVE-2022-34696).
Six vulnerabilities in Exchange
Microsoft’s Exchange mail server will receive updates this month against six vulnerabilities, three of which Microsoft has classified as critical. These three vulnerabilities (CVE-2022-21980/-24477/-24516) could allow a registered attacker to gain elevated privileges and take over all mail accounts on the server. In order for the provided updates to take full effect, administrators must activate “Extended Protection”. CVE-2022-30134 is also an EoP (Elevation of Privilege) vulnerability, but only allows existing emails to be read. However, the gap was already publicly known in advance and is therefore considered a 0-day gap.
Another flood of patches for Azure
Microsoft fixed 45 vulnerabilities in its Azure cloud platform this month, after 33 vulnerabilities had to be patched in July. Microsoft only classifies the RCE vulnerability CVE-2022-33646 in the Azure Batch Node Agent as critical.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 29 vulnerabilities. These include nine of the vulnerabilities identified as critical above, as well as the 0-day vulnerability CVE-2022-34713.
Also in August there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is September 13, 2022.