Microsoft released its traditional Patch Tuesday this week. This month, the security update corrects 141 vulnerabilities, including two zero-days, one of which is actively exploited.
The August 2022 Patch Tuesday actually includes 20 fixes for Edge browser vulnerabilities that Microsoft had already patched. Which leaves 121 security vulnerabilities affecting Windows, Office, Azure, .NET Core, Visual Studio and Exchange Server.
A busy summer Patch Tuesday
Zero Day Initiative notes that the volume of patches released this month is “significantly higher” than what is normally expected in August. “It’s almost triple [du Patch Tuesday] from August of last year, and this is the second biggest patch of this year,” the organization says.
The August 2022 Patch Tuesday fixes 17 critical and 102 important vulnerabilities. The patches address 64 elevation of privilege flaws and 32 remote code execution flaws, as well as security feature bypasses and information disclosure flaws. Additionally, 34 of this month’s patches are for bugs in Azure Site Recovery, Microsoft’s set of disaster recovery tools for the cloud.
The actively exploited security flaw is a remote code execution flaw affecting the Microsoft Windows Support Diagnostic Tool (MSDT), listed as CVE-2022-34713. According to Microsoft, it is related to a vulnerability that some security researchers call “Dog walk“.
Dog walk
Researchers Imre Rad (@ImreRad) and @j00sean reported the Dogwalk bug to Microsoft in early 2020, but the company didn’t address it until May this year when attackers began to exploit MSDT via malicious Word documents. At that time, Microsoft released CVE-2022-30190 with mitigations, followed by a patch in mid-June and new defense-in-depth measures in July.
“We have finally patched the #DogWalk vulnerability. Thanks to everyone who yelled at us to fix it @j00sean @ImreRad,” tweeted Jonathan Norman, security researcher at Microsoft.
Microsoft says the CVE-2022-34713 flaw was discovered after public discussions sparked further scrutiny inside and outside of Microsoft. “In May, Microsoft published a blog post advising on a vulnerability in MSDT, and updates to address it shortly thereafter. Public discussion of a vulnerability may encourage further examination of the component, both by Microsoft security personnel and our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft argues. The flaw has a CVSSv3 base score of 7.8 because victims must be tricked into opening a malicious file.
Google also fixed a medium-severity issue related to the Dogwalk bug (CVE-2022-2622) in Chrome last month. This issue affected Google’s Safe Browsing security service in Chrome.
New vulnerabilities on Exchange servers
An information disclosure flaw in Exchange Server was publicly disclosed before Tuesday, but has yet to be exploited. Vulnerable on-premises Exchange servers were one of the most targeted systems in 2021 by ProxyShell and ProxyLogon flaws.
Rapid 7 emphasizes that fixing the Exchange Server flaw (CVE-2022-30134) will not prevent attackers from reading targeted email messages. Administrators should also enable Windows Extended Protection on Exchange servers. Microsoft’s Exchange team explained how to do this manually in a separate blog post. There are fixes for five other Exchange bugs that must be applied to completely remedy this problem.
The company also recommends applying CVE-2022-34715, a remote code execution flaw affecting Windows Network File System (NFS) version 4.1 on Windows Server 2022. It has a CVSSv3 score of 9.8. One notable flaw, CVE-2022-35797, is a bypass of Microsoft’s Windows Hello biometric authentication mechanism. An attacker would need physical access to exploit the vulnerability, but could bypass Windows Hello if successful.
Windows 7 is really over
Security company Ivanti recalls that as of the August Patch Tuesday update, there are only six months of Extended Security Updates (ESU) left for Windows 7 and Windows Server 2008/2008R2. In July, Microsoft signaled the end of support for an additional three years of Windows 7 ESU after its end of life in 2020.
Also, starting this month, Microsoft will no longer provide updates for Windows Server Semi-Annual Channel (SAC). Windows Server 20H2 reached end of support on August 9 and is the last of the SAC releases.
Source: ZDNet.com