Microsoft today released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month's Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in Microsoft Exchange Server.

**Microsoft** today released updates to fix at least 85 security holes in its **Windows** operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month’s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in **Microsoft Exchange Server**.

The new zero-day flaw– CVE-2022-41033 — is an “elevation of privilege” bug in the Windows COM+ event service, which provides system notifications when users logon or logoff. Microsoft says the flaw is being actively exploited, and that it was reported by an anonymous individual.

“Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone’s list to quickly patch,” said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. “This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.

Indeed, **Satnam Narang**, senior staff research engineer at **Tenable**, notes that almost half of the security flaws Microsoft patched this week are elevation of privilege bugs.

Some privilege escalation bugs can be particularly scary. One example is CVE-2022-37968, which affects organizations running **Kubernetes** clusters on **Azure** and earned a CVSS score of 10.0 — the most severe score possible.

Microsoft says that to exploit this vulnerability an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that a number of free and commercial DNS discovery services now make it easy to find this information on potential targets.

Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. Paired together, the two flaws are known as “ProxyNotShell” and they can be chained to allow remote code execution on Exchange Server systems.

Microsoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable certain settings to mitigate the threat from the attacks. However, those mitigation steps were soon shown to be ineffective, and Microsoft has been adjusting them on a daily basis nearly each day since then.

The lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm **Rapid7** said that as of early September 2022 the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.

“While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,” said **Caitlin Condon**, senior manager of vulnerability research at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft’s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.”

Adobe also released security updates to fix 29 vulnerabilities across a variety of products, including **Acrobat** and **Reader**, **ColdFusion**, **Commerce** and **Magento**. Adobe said it is not aware of active attacks against any of these flaws.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, October 2022 Edition

## Description

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code.

## Affected software

### NuGet & NuGet Packages

- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.9.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.7.2 version or earlier.
- Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 4.9.5 version or earlier.

### .NET SDK(s)

- Any .NET 6.0 application running on .NET 6.0.9 or earlier.
- Any .NET 3.1 application running on .NET Core 3.1.29 or earlier.

## Patches

To fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.

- If you're using NuGet.exe 6.3.0 or lower, you should download and install 6.3.1 from https://dist.nuget.org/win-x86-commandline/v6.3.1/nuget.exe .

- If you're using NuGet.exe 6.2.1 or lower, you should download and install 6.2.2 from https://dist.nuget.org/win-x86-commandline/v6.2.2/nuget.exe .

- If you're using NuGet.exe 6.0.2 or lower, you should download and install 6.0.3 from https://dist.nuget.org/win-x86-commandline/v6.0.3/nuget.exe .

- If you're using NuGet.exe 5.11.2 or lower, you should download and install 5.11.3 from https://dist.nuget.org/win-x86-commandline/v5.11.3/nuget.exe .

- If you're using NuGet.exe 5.9.2 or lower, you should download and install 5.9.3 from https://dist.nuget.org/win-x86-commandline/v5.9.3/nuget.exe .

- If you're using NuGet.exe 5.7.2 or lower, you should download and install 5.7.3 from https://dist.nuget.org/win-x86-commandline/v5.7.3/nuget.exe .

- If you're using NuGet.exe 4.9.5 or lower, you should download and install 4.9.6 from https://dist.nuget.org/win-x86-commandline/v4.9.6/nuget.exe .

- If you're using .NET Core 6.0, you should download and install Runtime 6.0.10 or SDK 6.0.110 (for Visual Studio 2022 v17.0) or SDK 6.0.402 (for Visual Studio 2022 v17.3) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

- If you're using .NET Core 3.1, you should download and install Runtime 3.1.30 or SDK 3.1.424 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

## Other details

Announcement for this issue can be found at https://github.com/NuGet/Announcements/issues/65

MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41032


**Description**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code.

**Affected software****NuGet & NuGet Packages**

*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.9.2 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.7.2 version or earlier.
*   Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 4.9.5 version or earlier.

**.NET SDK(s)**

*   Any .NET 6.0 application running on .NET 6.0.9 or earlier.
*   Any .NET 3.1 application running on .NET Core 3.1.29 or earlier.

**Patches**

To fix the issue, please install the latest version of .NET 6.0 or .NET Core 3.1 and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol versions). If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.

*   If you're using NuGet.exe 6.3.0 or lower, you should download and install 6.3.1 from https://dist.nuget.org/win-x86-commandline/v6.3.1/nuget.exe .
    
*   If you're using NuGet.exe 6.2.1 or lower, you should download and install 6.2.2 from https://dist.nuget.org/win-x86-commandline/v6.2.2/nuget.exe .
    
*   If you're using NuGet.exe 6.0.2 or lower, you should download and install 6.0.3 from https://dist.nuget.org/win-x86-commandline/v6.0.3/nuget.exe .
    
*   If you're using NuGet.exe 5.11.2 or lower, you should download and install 5.11.3 from https://dist.nuget.org/win-x86-commandline/v5.11.3/nuget.exe .
    
*   If you're using NuGet.exe 5.9.2 or lower, you should download and install 5.9.3 from https://dist.nuget.org/win-x86-commandline/v5.9.3/nuget.exe .
    
*   If you're using NuGet.exe 5.7.2 or lower, you should download and install 5.7.3 from https://dist.nuget.org/win-x86-commandline/v5.7.3/nuget.exe .
    
*   If you're using NuGet.exe 4.9.5 or lower, you should download and install 4.9.6 from https://dist.nuget.org/win-x86-commandline/v4.9.6/nuget.exe .
    
*   If you're using .NET Core 6.0, you should download and install Runtime 6.0.10 or SDK 6.0.110 (for Visual Studio 2022 v17.0) or SDK 6.0.402 (for Visual Studio 2022 v17.3) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
    
*   If you're using .NET Core 3.1, you should download and install Runtime 3.1.30 or SDK 3.1.424 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
    

.NET 6.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

**Other details**

Announcement for this issue can be found at NuGet/Announcements#65

MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41032

**References**

*   GHSA-g3q9-xf95-8hp5
*   NuGet/Announcements#65

GHSA-g3q9-xf95-8hp5: NuGet Elevation of Privilege Vulnerability

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale.

The tech giant also patched two "important"-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that's also being actively exploited.

Notably, however, the Microsoft didn't issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.

In all for October, Microsoft released patches for 85 CVEs, including 15 critical bugs. Affected products run the gamut of the product portfolio as usual: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

These are in addition to 11 patches for Microsoft Edge (Chromium-based) and a patch for side-channel speculation in ARM processors released earlier in the month.

**A Perfect 10: Rare Ultra-Critical Vuln**

The 10-out-of-10 bug (CVE-2022-37968) is an elevation of privilege (EoP) and remote code-execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters; it could also affect Azure Stack Edge devices.

While cyberattackers would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a big payoff: They can elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster.

"If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately," Mike Walters, vice president of vulnerability and threat research at Action1, warned via email.

**A Pair (Maybe a Triad) of Zero-Day Patches – but Not THOSE Patches**

The new zero-day confirmed as being under active exploit (CVE-2022-41033) is an EoP vulnerability in the Windows COM+ Event System Service. It carries a 7.8 CVSS score.

The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs. All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable, and a simple attack can lead to gaining SYSTEM privileges, researchers warned.

"Since this is a privilege escalation bug, it is likely paired with other code-execution exploits designed to take over a system," Dustin Childs, from the Zero Day Initiative (ZDI), noted in an analysis today. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything, so test and deploy this fix quickly."

Satnam Narang, senior staff research engineer at Tenable, noted in an emailed recap that an authenticated attacker could execute a specially crafted application in order to exploit the bug and elevate privileges to SYSTEM.

"While elevation of privilege vulnerabilities requires an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation-of-privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%)," he said.

This particular EoP problem should go to the head of the line for patching, according to Action1's Walters.

"Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it," he wrote, in an emailed analysis. "This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server."

The other confirmed publicly known bug (CVE-2022-41043) is an information-disclosure issue in Microsoft Office for Mac that has a low CVSS risk rating of just 4 out of 10.

Waters pointed to another potentially exploited zero-day: a remote code execution (RCE) problem in SharePoint Server (CVE-2022-41036, CVSS 8.8) that affects all versions starting with SharePoint 2013 Service Pack 1.

"In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions," he said.

Most importantly, "Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet," he said. "Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet."  

**No ProxyNotShell Patches**

It should be noted that these are not the two zero-day patches that researchers were expecting; those bugs, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, remain unaddressed. When chained together, they can allow RCE on Exchange Servers.

"What may be more interesting is what isn’t included in this month's release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks,” Childs wrote. “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September … Cumulative Update (CU) is installed.”

"Despite high hopes that today's Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates," says Caitlin Condon, senior manager for vulnerability research at Rapid7. "Microsoft's recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix."

As of early September, Rapid7 Labs observed up to 191,000 potentially vulnerable instances of Exchange Server exposed to the Internet via port 443, she adds. However, unlike the ProxyShell and ProxyLogon exploit chains, this group of bugs requires an attacker to have authenticated network access for successful exploitation.

"So far, attacks have remained limited and targeted," she says, adding, "That's unlikely to continue as time goes on and threat actors have more opportunity to gain access and hone exploit chains. We'll almost certainly see additional post-authentication vulnerabilities released in the coming months, but the real concern would be an unauthenticated attack vector popping up as IT and security teams implement end-of-year code freezes."

**Admins Take Note: Other Bugs to Prioritize**

As far as other issues to prioritize, ZDI's Childs flagged two Windows Client Server Run-time Subsystem (CSRSS) EoP bugs tracked as CVE-2022-37987 and CVE-2022-37989 (both 7.8 CVSS).

"CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation," he explained. "This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location."

Also notable: Nine CVEs categorized as RCE bugs with critical severity were also patched today, and seven of them affect the Point-to-Point Tunneling Protocol, according to Greg Wiseman, product manager at Rapid7. "\[These\] require an attacker to win a race condition to exploit them," he noted via email.

Automox researcher Jay Goodman adds that CVE-2022-38048 (CVSS 7.8) affects all supported versions of Office, and they could allow an attacker to take control of a system "where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights." While the vulnerability is less likely to be exploited, according to Microsoft, the attack complexity is listed as low.

And finally, Gina Geisel, also an Automox researcher, warns that CVE-2022-38028 (CVSS 7.8), a Windows Print Spooler EoP bug, as a low-privilege and low-complexity vulnerability that requires no user interaction.

"An attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges," she notes. "Examples of these attacker privileges include installing programs; modifying, changing, and deleting data; creating new accounts with full user rights; and moving laterally around networks."

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41037, CVE-2022-41038.

CVE-2022-41036

Microsoft Office Information Disclosure Vulnerability.

CVE-2022-41043

Microsoft Office Graphics Remote Code Execution Vulnerability.

CVE-2022-38049

Microsoft Word Remote Code Execution Vulnerability.

CVE-2022-41031

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38053, CVE-2022-41036, CVE-2022-41037.

CVE-2022-41038

Microsoft Edge (Chromium-based) Spoofing Vulnerability.

CVE-2022-41035

Microsoft Office Remote Code Execution Vulnerability.

Tag

#microsoft