Microsoft fixes two zero-day vulnerabilities in the October 2022 patch on Tuesday


Some dangerous Windows errors have been fixed, others remain

In short: Microsoft has released a new series of patches designed to fix bugs in Windows and other popular software products. The most important updates fix a couple of zero-day flaws, but two Exchange bugs discovered in recent weeks still pose a threat to mail servers around the world.

Patch Tuesday is an unofficial term used by Microsoft since October 2003, but it is currently considered the appropriate time of the month to release new security updates. Being one of the largest software platforms, Windows plays an important role in the planned updates that are coming out on Tuesday.

The security updates released by Microsoft in October 2022 include fixes for 84 security flaws found in various Windows components (from the kernel to the CD driver), Microsoft Edge, Azure, Active Directory Domain Services, Visual Studio code, and the NTFS file system. , TCP/IP, Win32K API and many other products or functions. Thirteen vulnerabilities are classified as “critical” because they pose the greatest threat to servers and consumer systems.

The aforementioned 84 bugs include 39 privilege escalation vulnerabilities, two security bypass vulnerabilities, 20 remote code execution vulnerabilities, 11 information disclosure vulnerabilities, eight denial of service vulnerabilities, and four spoofing vulnerabilities. A dozen additional bugs in the Edge browser are not included, as they have already been fixed on October 3.

Tuesday’s October 2022 patch includes fixes for two zero-day bugs, a kind of vulnerability that has already been publicly disclosed or actively used in attacks. An actively exploited zero-day vulnerability is classified as a Windows COM+ event system vulnerability associated with privilege escalation (CVE-2022-41033). According to Microsoft, an attacker who “successfully exploited this vulnerability can gain system privileges” while having local access to the target system.

A publicly disclosed bug is a Microsoft Office information disclosure vulnerability (CVE—2022-41043), and attackers can use it to disclose user tokens or “other potentially confidential information.” According to Microsoft, the vulnerability CVE-2022-41033 was apparently discovered by an “anonymous” researcher, and CVE-2022-41043 was discovered by SpecterOps security researcher Cody Thomas.

Unfortunately for companies and professional users, there will not be a proper fix for the previously discovered zero-day bugs in Microsoft Exchange on Tuesday of this month. The Redmond Corporation is asking system administrators to apply the mitigation measures already recommended at the end of September, since the company will clearly need more time to create patches.


Please enter your comment!
Please enter your name here