For the past few weeks, Microsoft has fixed several vulnerabilities, and in its October 2022 Patch Tuesday update, the American multinational corporation fixed a total of 84 vulnerabilities, including some major ones.
Among the vulnerabilities, 13 were classified as ‘Critical,’ severely impacting the associated devices and services. However, despite the efforts, a few zero-day vulnerabilities remain open and can be exploited. Moreover, the “ProxyNotShell” Exchange vulnerabilities were not included in the October 2022 Patch Tuesday updates.
October 2022 Patch Tuesday updates: An Overview
A zero-day vulnerability is a vulnerability in a system, software, or platform that has been disclosed but has not been patched yet. Since the vulnerability is known to all, hackers can exploit it, thus the term zero-day exploit. Though Microsoft has not fixed all the vulnerabilities, the company addressed many of them and released security patches to be updated by the end-users and firms.
One of the most exploited vulnerabilities in this month’s batch is CVE-2022-41033, carrying a CVSS score of 7.8 out of 10. The vulnerability was described as ‘Windows COM+ Event System Service Elevation of Privileges (EoP)’ and is known for allowing hackers to gain admin-level privileges after successful exploitation.
Microsoft Office Information Disclosure vulnerability CVE-2022-41043, which was made public, also received a fix. According to Microsoft, attackers may use this vulnerability to access users’ authentication tokens. Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac are the products mainly affected by the vulnerability.
The 52 vulnerabilities include known and unknown Microsoft products and apps fixed in the October update. However, despite the long list of CVE-2022-41043s, users and security specialists pointed out that the update didn’t include any legitimate fixes for Exchange.
The company is yet to fix the E00F bugs, even though it should have been part of the October update. Microsoft Exchange users, who use the Exchange Server for their daily mail work, are still open for attacks as the October updates didn’t bring anything for them, while all the other products and services received security patches.
Since the update didn’t brought a security patch, the best method to protect confidential data on Exchange Server is to keep up with Microsoft’s latest product mitigations and update the security patch once it releases.