This month Microsoft released patches for 85 vulnerabilities with 15 rated “Critical” in severity.

All patches will be approved in our patch policy.

 

A sizable number (15) of critical patches this month but the big news is what Microsoft did not patch.

Two new zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) in Microsoft Exchange Server were reported at the end of September. Known as “ProxyNotShell” Microsoft has added protections to Exchange Online but on-prem Exchange Server administrators should review their Customer Guidance (See “Heads Up” below).

CVE-2022-41033 patches a publicly exploited zero-day “elevation of privilege” bug in the Windows COM+ event service. CVE-2022-41043 is a publicly disclosed flaw in Office for Mac which could lead to data leakage.

Organizations running Kubernetes clusters on Azure should patch for an Elevation of Privilege vulnerability (CVE-2022-37968). There is a known issue with Windows Group Policy preferences. This was actually introduced last month but was late to be acknowledged by Microsoft.

SharePoint Server also has some new known issues with this month’s patches. See “Know Issues” below. One new standalone SSUs for Windows 8.1/Server 2012 R2.

 

FYI Windows 11 version 22H2 available through Windows Update.

Windows 11, version 22H2 known issues and notifications

https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2

 

Heads Up! Unpatched zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 (CVE-2022-41040, CVE-2022-41082)

Exchange Online has detections and mitigation in place to protect customers. Administrators with on-prem Exchange servers should review the mitigations suggested in the security advisory

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Note: An attacker needs authenticated network access for successful exploitation.

 

Disclosed: CVE-2022-41043

Exploited: CVE-2022-41033

 

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

 

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

 

Microsoft Security Advisories

 

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:10/11/2022)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for Windows 8.1/Server 2012 R2.

 

Known Issues

A couple known issues are listed below affecting all Windows systems and SharePoint Server.

 

Windows Group Policy Preferences

Affects all Windows versions

Copying files/shortcuts using Group Policy Preferences might not work as expected

https://support.microsoft.com/en-us/topic/october-11-2022-kb5018410-os-builds-19042-2130-19043-2130-and-19044-2130-6390f057-28ca-43d3-92ce-f4b79a8378fd

Symptom: After installing this update, file copies using Group Policy Preferences might fail or might create empty shortcuts or files using 0 (zero) bytes. Known affected Group Policy Objects are related to files and shortcuts in User Configuration > Preferences > Windows Settings in Group Policy Editor.

Workaround: To mitigate this issue, you can do ONE of the following:

• Uncheck the “Run in logged-on user’s security context (user policy option)”. Note: This might not mitigate the issue for items using a wildcard (*).
• Within the affected Group Policy, change “Action” from “Replace” to “Update”.
• If a wildcard (*) is used in the location or destination, deleting the trailing “\” (backslash, without quotes) from the destination might allow the copy to be successful.

Status: We are working on a resolution and will provide an update in an upcoming release.

 

SharePoint 2010 workflows

Affects SharePoint Server (Foundation 2013/Enterprise Server 2016/Server 2019/SharePoint Server Subscription Edition)

SharePoint 2010 workflows might be blocked by enhanced security policy (KB5020238)

https://support.microsoft.com/en-us/topic/sharepoint-2010-workflows-might-be-blocked-by-enhanced-security-policy-kb5020238-eb91e24d-eea4-4490-a281-86503adc8b27

Symptoms: After you install the following October security updates for Microsoft SharePoint Server, some Microsoft SharePoint 2010 workflow scenarios might be blocked. Additionally, “6ksbk” event tags are logged in SharePoint Unified Logging System (ULS) logs.

Cause: To strengthen its security, SharePoint supports only UTF-8 encoding for the workflow .xoml file.

Workaround: To work around this issue, modify your workflow .xoml file to use UTF-8 encoding, and then redeploy it.

 

Good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5018454 – Windows 7, Windows Server 2008 R2 (ESU)
• KB5018474 – Windows 8.1, Windows Server 2012 R2
• KB5018457 – Windows Server 2012
• KB5018450 – Windows Server 2008 (ESU)

 

Security Only Update

• KB5018479 – Windows 7, Windows Server 2008 R2 (ESU)
• KB5018476 – Windows 8.1, Windows Server 2012 R2
• KB5018478 – Windows Server 2012
• KB5018446 – Windows Server 2008 (ESU)

 

Cumulative Updates

Windows 10

• KB5018425 – Original release version 1507 (OS Build 10240)
• KB5018411 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5018419 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5018410 – Version 20H2 “October 2020 Update” (OS Build 19042)
• KB5018410 – Version 21H1 “May 2021 Update” (OS Build 19043)
• KB5018410 – Version 21H2 “November 2021 Update” (OS Build 19044)

(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)

 

Windows 11

• KB5018418 – 21H2 (OS Build 22000) Original release
• KB5018418 – 22H2 (OS Build 22621)

 

Windows Server

• KB5018411 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5018419 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5018421 – Server 2022 (OS Build 20348)

 

October 2022 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/october-2022-updates-for-microsoft-office-4ebed600-ca67-4182-9377-59bf9b8650f0

 

Notable CVEs

 

CVE-2022-37968 | Azure Arc-enabled kubernetes cluster connect elevation of privilege vulnerability

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37968

– Microsoft has identified a vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. This vulnerability could allow an unauthenticated user to elevate their privileges and potentially gain administrative control over the Kubernetes cluster. Additionally, because Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc, Azure Stack Edge devices are also vulnerable to this vulnerability.

 

CVE-2022-37976 | Active Directory Certificate Services elevation of privilege vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37976

– EoP vulnerability affecting Active Directory Certificate Services.  An attacker who successfully exploited this vulnerability could gain domain administrator privileges.

 

CVE-2022-37979 | Windows Hyper-V Elevation of Privilege Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37979

– An attacker on a Nested Hyper-V environment would gain Level 1 Hyper-V Windows Root OS privileges.

 

CVE-2022-38028 | Windows Print Spooler elevation of privilege vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38028

– EoP vulnerability in Windows Print Spooler components. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges

 

CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 | Microsoft SharePoint Server remote code execution vulnerability (KB5002278,KB5002283,KB5002284,KB5002287,KB5002290)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38053

– RCE vulnerabilities in Microsoft SharePoint Server. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.

 

CVE-2022-41033 | Windows COM+ Event System Service elevation of privilege vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033

– EoP vulnerability in the Windows COM+ Event System Service. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges

 

CVE-2022-41043| Microsoft Office Information Disclosure Vulnerability (Office for Mac)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41043

– The type of information that could be disclosed if an attacker successfully exploited this vulnerability is user tokens and other potentially sensitive information.