CyberScotland Bulletin

October’s round of monthly Microsoft security patches saw 84 vulnerabilities addressed, including 13 rated critical severity. Most notably is the zero-day flaw CVE-2022-41033, which Microsoft says has been actively exploited, although they have provided no detail as to the targets or prevalence of the attacks. This is a privilege-escalation vulnerability in Windows COM+ Event System Service, which could allow an attacker with an initial foothold in a host to elevate their privileges to SYSTEM level, effectively allowing them complete control. This vulnerability affects all supported versions of Windows beginning with Windows 7 and Server 2008.

Another vulnerability patched in this release was CVE-2022-37968. Another privilege escalation flaw, this time in Azure Kubernetes clusters, and with a maximum CVSS Score of 10. This vulnerability could allow a remote, unauthenticated attacker to take admin control over an Arc-Enabled Kubernetes cluster, although Microsoft states that for successful exploitation, the attacker would require the randomly-generated name of the cluster’s DNS endpoint.

Notably absent from this round of patches was a fix for ProxyNotShell, a pair of actively exploited zero-day vulnerabilities in Exchange on-premises which allow an authenticated attacker to conduct remote code execution. After these flaws were first revealed by a 3^rd party security researcher in September, Microsoft released instructions for mitigation but have yet to publish a fix.

Adobe released 4 security updates on 11 October addressing vulnerabilities rated critical and important. This included 2 critical severity stack-based Buffer Overflow vulnerabilities in Adobe Acrobat and Reader which could allow arbitrary code execution, if a user interacted with a malicious file created by the attacker. This release also included fixes for flaws in Adobe’s ColdFusion, Commerce, and Dimension products.

On 10 October, Fortinet warned that a flaw in its firewall and web proxy products was being actively exploited in the wild. The flaw, tracked as CVE-2022-40684, relates to an authentication bypass in the FortiOS, FortiProxy, and FortiSwitchManager products. This flaw could allow an attacker to remotely perform administrative operations by creating custom HTTP/S requests. Fortinet contacted affected customers several days prior to the public disclosure, urging them to apply patches as soon as possible.