Microsoft Fixes 1 Zero-Day, Leaves 2 Exchange Bugs Unpatched

There are no fixes for a pair of recently uncovered Microsoft Exchange zero-day vulnerabilities possibly being exploited by Chinese hackers in this month’s Microsoft patch dump, but the company has rolled out a fix for another zero-day that could give attackers system-level privileges.

See Also: Building a Secure IoT Deployment Using 5G Wireless WAN

October’s Patch Tuesday includes fixes for 85 other flaws.

The fixed zero-day, tracked as CVE-2022-41033, is a Windows COM+ event system flaw that when exploited results in loss of confidentiality, integrity and availability. This flaw was reported by an anonymous individual and has a CVSS score of 7.8. Microsoft says it has been exploited in the wild. The acronym COM+ stands for component object model. COM+ handles resource management tasks including thread allocation and security.

This privilege escalation bug would likely be paired with other exploits designed to take over a system, writes Dustin Childs, a security analyst at Zero Day Initiative, a software vulnerability initiative run by Trend Micro.

“These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during Cyber Security Awareness Month, people tend to click everything, so test and deploy this fix quickly,” he advises.

The zero-day is among 39 elevation of privilege vulnerabilities the technology giant fixed this month. This Patch Tuesday also includes fixes for two security feature bypass vulnerabilities, 20 remote code execution vulnerabilities, 11 information disclosure vulnerabilities, eight denial-of-service vulnerabilities and four spoofing vulnerabilities.

Noticeably, Microsoft did not release patches for the two Exchange zero-day vulnerabilities it acknowledged last month (see: Possible Chinese Hackers Exploit Microsoft Exchange 0-Days). The vulnerability is possibly being exploited by Chinese hackers

Vietnamese cybersecurity firm GTSC first reported the exploit, which consist of two chained zero-days assigned as CVE-2022-41040 and CVE-2022-41082. They affect Microsoft Exchange Server 2013, 2016 and 2019.

Microsoft late last month pledged an “accelerated timeline” for developing a patch and in the meantime has released workarounds for businesses that have on-premises Exchange servers. Exchange Online customers don’t need to take any action.

Vulnerabilities Addressed

Included in this month’s crop of fixed CVEs is CVE-2022-37968, which has a rare CVSS score of 10. It could allow an attacker to gain administrative control over an organization running Kubernetes clusters on Azure.

Microsoft says the attacker would first need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster, which isn’t impossible to obtain “with services like Shodan, Censys.io, and Microsoft’s own RiskIQ,” says Kev Breen, director of cyberthreat research at Immersive Labs.

Vulnerabilities tracked as CVE-2022-37987 and CVE-2022-37989 each pertain to the Client Server Runtime Subsystem elevation of privilege vulnerability. Childs writes that CVE-2022-37989 is a failed fix for an earlier bug, CVE-2022-22047, which has been seen in the wild. These bugs were reported by Simon Zuckerbraun, ZDI’s senior vulnerability researcher.