October Patch Wednesday handles 13 critical vulnerabilities

Microsoft's regular set of security updates address 96 vulnerabilities, 13 of them rated as critical, for October.

Critical remote code execution vulnerabilities are found in its Office productivity suite, and in the Windows point-to-point tunnelling protocol (PPTP) which contains seven serious bugs that require attackers to exploit and win a race condition.

Several other remote code execution and privilege elevation vulnerabilities are fixed in the Patch Wednesday updates, including one affecting the Active Directory Certificate Services which is rated as critical.

Eleven vulnerabilities affect Microsoft's Chromium-based Edge web browser, but these are not rated, the SANS Internet Storm Centre noted.

An Exchange Server vulnerability that can be exploited by authenticated users is not patched this month; instead, Microsoft recommends rule-based attack blocking to mitigate this.

Of the 13 critical-rated vulnerabilities, the Common Vulnerabilities and Exposures 2022-41033 bug affecting the Windows COM+ component services management system is being exploited in the wild currently.

Microsoft rates the system service elevation of privilege vulnerability as a 7.8 out of 10 on the Common Vulnerabilities Scoring System version 3.1.

Another privilege escalation vulnerability affecting Azure Arc-enabled Kubernetes cluster Connect has the full CVSS 3.1 rating of 10.0; it could allow an attacker to become an admin, and gain full control over the Kubernetes cluster.

But Rapid7 product manager Greg Wiseman questioned why the CVE-2022-37968 vulnerability was scored as a full 10.0, given that it's difficult to exploit.

"It's unclear why Microsoft assigned such a high score, given that an attacker would need to know the randomly generated external DNS [domain name system] endpoint for an Azure Arc-enabled Kubernetes cluster, arguably making the attack complexity high," Wiseman said.

Nevertheless, Wiseman suggested Azure Arc and Stack Edge users should check that auto-updates are turned on and if not, upgrade manually as soon as possible.