This week, Microsoft has rolled out its monthly Patch Tuesday update bundle for September 2022. The update bundle addresses 84 security vulnerabilities but includes fewer critical-severity bugs. Windows users should ensure they update their devices at the earliest.
Four Critical Vulnerability Fixes
With September Patch Tuesday, Microsoft has two critical remote code execution vulnerabilities in the Windows Network File System. An authenticated attacker could exploit these vulnerabilities, CVE-2022-22029 and CVE-2022-22039, by making a specially crafted call to the NFS.
Microsoft has labeled them critical severity flaws that achieved CVSS scores of 8.1 and 7.5, respectively. For CVE-2022-22029, the tech giant has also shared detailed mitigations to address the flaw when an immediate system update isn’t possible.
Microsoft has also patched two other critical security bugs that could allow RCE attacks. These include,
- CVE-2022-22038 (CVSS 8.1): RCE vulnerability in Remote Procedure Call Runtime. Exploiting the flaw required an attacker to send constant data for repeated exploitation attempts.
- CVE-2022-30221 (CVSS 8.8): RCE flaw in Windows Graphics Component. An attacker could exploit the vulnerability by tricking the target user into connecting to a malicious RDP server.
Other Microsoft September Patch Tuesday
Alongside the four critical severity vulnerabilities, Microsoft has fixed 80 other important severity vulnerabilities across various products.
These include an actively exploited vulnerability, CVE-2022-22047, in the Windows Client Server Runtime Subsystem (CSRSS). The tech giant has described it as a privilege escalation flaw (CVSS 7.8), giving SYSTEM privileges to an attacker.
Microsoft has confirmed detecting active exploitation of the vulnerability sans public disclosure. However, they haven’t explained anything about the nature of attacks, the target systems, and other details.
In addition, Microsoft has also addressed two other privilege escalation flaws in Windows CSRSS. However, both the vulnerabilities, CVE-2022-22026 and CVE-2022-22049, remained under the radar, ditching active exploits.
The other vulnerable components receiving security fixes with the September update include Microsoft Defender for Endpoint, Microsoft Office, Skype for Business, Windows BitLocker, Boot Manager, Hyper-V, Windows DNS Server, Windows IIS Server, and more.
While the updates should automatically reach the respective devices, it’s still recommended for the users to check for system updates manually to avoid delayed patches.
Let us know your thoughts in the comments.