Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday

Microsoft Windows 11 logo on a smartphone set against a background of neon blue code on a screen to denote a cyber security theme
(Image credit: Getty Images)

Microsoft has released 79 total patches as part of its monthly Patch Tuesday update, addressing three critical-rated vulnerabilities and one actively exploited zero-day.

The update delivers markedly fewer updates compared to last month’s which saw 141 flaws fixed, including 17 critical-rated vulnerabilities - the second round of updates of the year.

The updates consisted of 64 CVEs affecting Microsoft products and an additional 15 tracked issues impacting the Chromium-based Microsoft Edge browser.

Of the three critical-rated vulnerabilities - those with a severity score of 9.0 or higher on the CVSS v3 scale - the standout flaw impacted systems running the IPsec protocol which encrypts all internet protocol packets in a communication session.

The remote code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could allow an unauthenticated attacker to send a specially crafted IPv6 packet to an IPsec-enabled Windows node to achieve code execution.

There is no indication that it has been exploited in the wild but with the attack complexity being thought of as ‘low’ and there being no need for any authentication at all, it is considered one of the most serious issues for IT admins to address urgently.

Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) said: “This critical-rated bug could allow a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8. However, only systems with IPv6 enabled and IPsec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

Both of the remaining two critical-rated vulnerabilities, both rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impact the Windows Internet Key exchange (IKE) and can facilitate RCE.

Similar to the “exploitation more likely” CVE-2022-34718, the two other serious flaws can be carried out remotely and require no privileges in order to exploit.

“The IKE protocol is a component of IPsec used to set up security associations - relationships among devices based on shared security attributes,” said Tenable’s Security Response Team in a blog.

“These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is commonly used in virtual private networks.”

RELATED RESOURCE

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

FREE DOWNLOAD

The single actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File System driver and could be used by an attacker to elevate their privileges to SYSTEM level.

It received a lower-severity score of 7.8/10 on the CVSS v3 scale due to the attacker already needing to have local access to the target’s machine.

This level of code-execution access could be gained either by having their hands on the device’s keyboard (physical access) or remotely through techniques such as exploitation of another vulnerability or having remote access via remote desktop protocol (RDP), for example.

“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said the ZDI. “Once they do, additional code executes with elevated privileges to take over a system.

“Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.”

The full list of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be found on its dashboard.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.