Microsoft has fixed 84 vulnerabilities (aka flaws) in the October 2022 update, including 13 vulnerabilities classified as Critical as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and Spoofing. This month’s Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited* in attacks (CVE-2022-41033*, CVE-2022-41043). Earlier this month, on October 3 and 6, 2022, Microsoft also released a total of 12 Microsoft Edge (Chromium-Based) updates, one (1) addressing Spoofing (CVE-2022-41035) ranked Moderate.

Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

Microsoft Exchange Zero-Days Not Fixed

Unfortunately, Microsoft has not released security updates to address ProxyNotShell which includes two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082.

Released: October 2022 Exchange Server Security Updates provides the following update:

NOTE The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.

The October 2022 Microsoft Vulnerabilities are classified as follows:

---

A vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege (EoP) Vulnerability

This vulnerability has a CVSSv3.1 score of 7.8/10.

Classified as Critical, this issue affects an unknown function of the component COM+ Event System Service. The impact of exploitation is loss of confidentiality, integrity, and availability.

Microsoft has not disclosed how the vulnerability is being exploited or if it is being exploited in targeted or more widespread attacks. They only say that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges.

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Patch Installation should be considered both Critical and Mandatory.

Exploitability Assessment: Exploitation Detected

---

CVE-2022-41043| Microsoft Office Information Disclosure Vulnerability

This vulnerability has a CVSSv3.1 score of 3.3/10.

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information. The impact of exploitation is loss of confidentiality

This vulnerability demands that the victim is doing some kind of user interaction. As of the time of publishing, neither technical details nor an exploit is publicly available.

Exploitability Assessment: Exploitation Less Likely

---

This month’s advisory covers multiple Microsoft product families, including Azure, Browser, Developer Tools, Extended Security Updates (ESU), Microsoft Dynamics, Microsoft Office, System Center, and Windows.

A total of 78 unique Microsoft products/versions are affected, including but not limited to .NET and .NET Core, Azure Arc-enabled Kubernetes cluster, Azure Service Fabric Explorer, Azure Stack Edge, Azure StorSimple 8000 Series, Jupyter Extension for Visual Studio Code, Microsoft 365 Apps for Enterprise, Microsoft Edge (Chromium-based), Microsoft Malware Protection Engine, Microsoft Office, Microsoft SharePoint Enterprise Server, Microsoft SharePoint Foundation, Microsoft SharePoint Server, Microsoft Visual Studio, Visual Studio and Visual Studio Code, Windows Desktop, and Windows Server.

Downloads include Cumulative Update, Monthly Rollup, Security Only, and Security Update.

---

Qualys Patch Tuesday QIDs are published as Security Alerts typically late in the evening on the day of Patch Tuesday, followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard by Noon on Wednesday.

---

Patch Tuesday is a process. Please check back periodically throughout Patch Tuesday week as this blog is continually updated through Friday. New information, insights, and resources are added and updated as they become available.

---

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities. 

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. 

---

Join the webinar

This Month in Vulnerabilities & Patches

---

The content within this section will spotlight Vulnerability Management, Patch Management, Threat Protections, and Policy Compliance adjacent events available to our new and existing customers.

---

WEBINARS

Introducing Qualys Workshop Wednesday

At Qualys Inc, providing cybersecurity through technology is what we do. Join us each month as we tap into the minds of Qualys experts to share how you can get the most out of your investment and understand ways in which you can quickly reduce your cyber risk exposure using the Qualys Cloud Platform. Each 45-minute monthly session, hosted on the first Wednesday of the month, will showcase practical hands-on tips and tricks, news on new capabilities and services, as well as useful customer success stories that can help you get the most out of the Qualys Cloud Platform.  

Never miss an update. Subscribe to the Qualys Workshop Wednesday! 

---

CONFERENCES

Qualys Annual Security Conference #QSC22

Qualys Security Conference (QSC) is a unique opportunity for the Qualys community to get together to hear the latest developments in cybersecurity, view the latest innovations from Qualys, trade best practices, share feedback, and learn tips & tricks on how security professionals work to keep their organizations secure.

We are pleased to announce the keynote speaker for the upcoming Qualys Security Conference

Explore and secure the digital journey. Dive into the profound impact of the digital journey and explore how to build security automation from the data center to the cloud. Industry experts and Qualys leaders discuss automation strategies, preview product roadmaps, listen to your challenges, and answer your questions.

Get inspired. Engage with Qualys’ customer-facing teams and your peers around best practices and user case studies for applying security automation to real-world challenges.

Sharpen your expertise. Two days of free training cover forward-looking strategies, best practices to improve effectiveness and productivity, and core/expanded product features to up-level your security program.

Who Should Attend? CIOs, CSOs, and CTOs; directors and managers of network, security, and cloud; developers and DevSecOps practitioners; Qualys partners and consultants; or any forward-thinking security professional.

Training Sessions

November 7 and November 8

---

Conference Sessions

November 9 and November 10

Attendance at QSC is complimentary. This includes access to all general sessions, breakout sessions, breakfast, lunch, breaks, and receptions.

---

#QSC22 Location and Reservation Information

November 7-10, 2022

The Venetian Resort Las Vegas, 3355 Las Vegas Blvd. South, Las Vegas, NV 89109, US

Book your hotel here & take advantage of the discounted QSC rate of $229+ per night

Or find a conference near you.