High Threat Security Alert (A22-10-09): Multiple Vulnerabilities in Microsoft Products (October 2022)

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct

Reports indicated that an elevation of privilege vulnerability (CVE-2022-41033) in Microsoft Windows and Server is being actively exploited and the technical details of an information disclosure vulnerability (CVE-2022-41043) in Microsoft Office was publicly disclosed. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Affected Systems:

• Microsoft Windows 7, 8.1, RT 8.1, 10, 11
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
• Microsoft Office 2013, 2013 RT, 2016, 2019, 2019 for Mac, LTSC 2021, LTSC for Mac 2021
• Microsoft 365 Apps for Enterprise
• Microsoft SharePoint Foundation 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2019, Subscription Edition
• Microsoft Visual Studio 2019, 2022
• Visual Studio 2022 for Mac version 17.3
• Visual Studio Code
• .NET 6.0
• .NET Core 3.1
• Azure Arc-enabled Kubernetes cluster 1.5.8, 1.6.19, 1.7.18, 1.8.11
• Azure Service Fabric Explorer
• Azure Stack Edge
• Azure StorSimple 8000 Series
• Microsoft Malware Protection Engine
• Jupyter Extension for Visual Studio Code

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, information disclosure, denial of service, security feature bypass and spoofing.

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

• https://msrc.microsoft.com/update-guide/releaseNote/2022-Oct
• https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-october-2022
• https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/microsoft-releases-october-2022-security-updates
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22035
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24504
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30198
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33634 (to CVE-2022-33635)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33645
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34689
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35770
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35829
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37965
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37968
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37970 (to CVE-2022-37971)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37973 (to CVE-2022-37991)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37993 (to CVE-2022-38001)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38003
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38016 (to CVE-2022-38017)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38021 (to CVE-2022-38022)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38025 (to CVE-2022-38034)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38036 (to CVE-2022-38051)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38053
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41031 (to CVE-2022-41034)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41036 (to CVE-2022-41038)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41042 (to CVE-2022-41043)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41081
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41083