Microsoft published its October 2022 Patch Tuesday bulletin yesterday, which showcases fixes for an actively exploited Windows vulnerability alongside 83 other flaws.
Of the 84 vulnerabilities fixed in yesterday's update, 13 are classified as 'Critical' as they alternatively or jointly allow privilege elevation, spoofing or remote code execution. As for the others, 69 are rated Important, and one is rated Moderate.
Further, this month's Patch Tuesday fixed two zero-day vulnerabilities. The first zero-day is a Windows COM+ Event System Service elevation of privilege vulnerability (CVSS score: 7.8), which affects an unknown function of the component COM+ Event System Service.
"This patch fixes a security vulnerability that Microsoft stated is under active attack. However, it is not clear how severe these attacks are," commented Saeed Abbasi, manager of vulnerability signatures at Qualys.
"Due to the nature of this vulnerability, a privilege escalation that often engages some social engineering (e.g., requiring the user to open a malicious attachment), history shows that it potentially needs to be chained with a code execution bug to exploit."
The second zero-day, on the other hand, is a Microsoft Office Information Disclosure Vulnerability with a CVSS score of 3.3/10.
Notably, Microsoft has not included a patch to the ProxyNotShell vulnerability in Exchange Server (tracked CVE-2022-41040) after confirming its existence almost two weeks ago.
"It's worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once, as the suggested URL rewrite Mitigation was bypassed multiple times," explained Ankit Malhotra, manager of signature engineering at Qualys.
"Organizations that reacted to the ProxyShell vulnerability should also pay close attention to this, taking their lessons learned on rapid remediation, as this vulnerability can potentially see increased exploitation."
Microsoft's October 2022 Patch Tuesday report comes roughly a month after Apple released an iOS 12 update for older iPhone and iPad devices to patch a vulnerability that threat actors reportedly exploited.