Today is Microsoft’s September 2022 Patch Tuesday, and with it comes fixes for an actively exploited Windows vulnerability and a total of 63 flaws.
Five of the 63 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution, one of the most severe types of vulnerabilities.
The number of bugs in each vulnerability category is listed below:
- 18 Elevation of Privilege Vulnerabilities
- 1 Security Feature Bypass Vulnerabilities
- 30 Remote Code Execution Vulnerabilities
- 7 Information Disclosure Vulnerabilities
- 7 Denial of Service Vulnerabilities
- 16 Edge – Chromium Vulnerabilities
The above counts do not include sixteen vulnerabilities fixed in Microsoft Edge before Patch Tuesday.
For information about the non-security Windows updates, you can read today’s Windows 10 KB5017308 and KB5017315 updates and the Windows 11 KB5017328 update.
Two zero-days fixed, one actively exploited
This month’s Patch Tuesday fixes two publicly disclosed zero-day vulnerabilities, with one actively exploited in attacks.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The actively exploited zero-day vulnerability fixed today is tracked as ‘CVE-2022-37969 – Windows Common Log File System Driver Elevation of Privilege Vulnerability.’
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” reads Microsoft’s advisory.
The exploited vulnerability was discovered by researchers at DBAPPSecurity, Mandiant, CrowdStrike, and Zscaler.
Mandiant told BleepingComputer that they discovered the zero-day during a proactive Offensive Task Force exploit hunting mission.
“We found this 0Day bug during a proactive Offensive Task Force exploit hunting mission. An escalation of privilege (EOP) exploit was found in the wild, exploiting this Common Log File System (CLFS) vulnerability,” explained Dhanesh Kizhakkinan, Senior Principal Vulnerability Engineer at Mandiant.
“The exploit seems to stand-alone and not part of a chain (like browser + EOP).”
The other publicly disclosed vulnerability is tracked as ‘CVE-2022-23960 – Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability.’
The fix is for the Branch History Injection (BHI) speculative execution vulnerability that was disclosed by researchers at VUSec in March.