Microsoft Confirms Windows 0Day Under Attack, Most Versions Vulnerable

It’s the second week of the month, which means it’s time for Microsoft’s scheduled monthly security update. As has become all too familiar to Microsoft users, this month’s Patch Tuesday update confirms yet more Zero-Day (0Day) security vulnerabilities, including one that Microsoft says is being actively exploited.

October Patch Tuesday: 84 vulnerabilities, 13 critical, 2 zero-days

With some 84 vulnerabilities, it’s far from being the biggest Patch Tuesday event of the year. However, 13 have a critical severity index and two are 0 days.

Microsoft defines a 0Day as a security vulnerability with no official patch available when publicly disclosed or under active attack.

In the case of CVE-2022-41033, which Microsoft confirms is actively exploited in the wild but provides no further information on the exploitation it affects most versions of Windows. “All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable,” said Mike Walters, vice president of vulnerability and threat research at Action1.

MORE FORBESGoogle warns hackers not to break anything and chloroform security guards

Why is fixing CVE-2022-41033 so important?

It doesn’t get the highest severity classification, with a CVSS rating of 7.8. Still, says Walters, “there has been an exploit for this vulnerability for a long time, and it can be easily combined with an RCE exploit.” This raises the security stakes somewhat, as this elevation of privilege vulnerability can give an attacker full system privileges. Of course, the mitigating factor is that to successfully exploit CVE-2022-41033 an attacker needs local access, but exploit chaining quickly dilutes that. Intended for the Windows COM+ event system, which launches with the operating system by default, this vulnerability should be patched as soon as possible.

Some 39 of the vulnerabilities addressed are of an elevation of privilege nature, which is unsurprising as they are among the most valuable security holes in an attacker’s mindset.

You can find more details about all the vulnerabilities that were fixed by the October Patch Tuesday update on this excellent Offline Resource Storm Center which includes CVE links to the National Institute of Standards And Technology (NIST) National Vulnerability Database.

MORE FORBESWindows logo weaponized by state-backed Chinese APT10 spies in ongoing attacks

Microsoft fails to fix two still-running Exchange Server 0Days

Unfortunately, there remain two zero-day vulnerabilities, still actively exploited by attackers, which Microsoft has not yet patched. Namely CVE-2022-41040 and CVE-2022-41082, which I reported on last month. The fixes for Exchange Server 0Day vulnerabilities are, Microsoft has confirmednot included and will be released “when ready”.

Comments are closed.