Microsoft patches Windows flaw exploited in the wild (CVE-2022-41033)
October 2022 Patch Tuesday is here, with fixes for 85 CVE-numbered vulnerabilities, including CVE-2022-41033, a vulnerability in Windows COM+ Event System Service that has been found being exploited in the wild.
But, first and foremost, it should be noted that the two MS Exchange zero-days under active exploitation (CVE-2022-41040 and CVE-2022-41082, aka ProxyNotShell) have still not been patched, and administrators must make do with Microsoft’s guidance on how to mitigate them until the fixes are ready.
CVE-2022-41033 is an elevation of privilege (EoP) vulnerability in the Windows COM+ Event System Service, which automatically distributs events to Component Object Model (COM) components.
Microsoft’s advisory does not offer provide information on how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges.
“All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable. The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs,” says Mike Walters, VP of Vulnerability and Threat Research at Action1.
“Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it. This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server.”
Other vulnerabilities to prioritize
CVE-2022-37968 has received the highest CVSS rating (10.0), meaning that it’s as critical as it can be. It’s another EoP flaw, but this one could allow an attacker to gain control over Azure Arc-enabled Kubernetes clusters.
“Azure Stack Edge devices may also be impacted by this bug. To exploit this remotely, the attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative.
“If you’re running these types of containers, make sure you either have auto-upgrade enabled or manually update to the latest version by running the appropriate commands in the Azure CLI.”
Childs also considers CVE-2022-38048, a Microsoft Office RCE flaw, a contender for quick patching. Microsoft rarely considers Office flaws critical, but in this case it does – even if user interaction is required for it to be triggered.
“Likely the rating results from the lack of warning dialogs when opening a specially crafted file. Either way, this is a UAF that could lead to passing an arbitrary pointer to a free call which makes further memory corruption possible,” he said.
Microsoft has also fixed seven critical vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP), which is an outdated (and generally insecure) method for implementing VPNs. If you use it, you should implement the patches, but this might be a good time to consider a replacement.
Finally, Microsoft SharePoint users should check if they need to implement fixes for any of the four remote code execution flaws (CVE-2022-41036, CVE-2022-41037, CVE-2022-38053 and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41038) fixed by Microsoft on this Patch Tuesday. While none of them are publicly disclosed, SharePoint is among attackers’ favorite targets, so quick patching is advised.