microsoft has published his Tuesday Patch corresponding to August 2022 to correct 121 security flaws that have been found in its products, which include things like Exchange Server in addition to the classic Windows and Office.
Of the 121 security flaws patched, 17 marked critical, 102 important, 1 as moderate and 1 as low risk. Of all of them, only two were publicly known at the time of the patch release. It is important to note that Microsoft Edge, the Chromium-based web browser, play in another league having corrected apart 25 deficiencies between finals from the end of July until the end of last week.
The Redmond giant, of everything patched, has stood out a vulnerability that opened the door to remote code execution via Microsoft Resource and Performance Monitor (MSDT), a Windows tool that generates a report of the status of local hardware resources, system response times, and local computer processes along with system information and configuration data. Exploitation of the vulnerability required the user to open a file specifically created for that purpose, which is why techniques such as phishing and deception are introduced by downloading a file hosted on a malicious website or via email.
The remote code execution found in MSDT, identified as CVE-2022-34713is not the only vulnerability found in the tool, since Microsoft has patched another of the same type identified as CVE-2022-35743.
Continuing with the remote executions, we find fixes for this type of vulnerability applied to the Windows Point-to-Point Protocol (PPP), the Windows Secure Sockets Tunneling Protocol (SSTP), Azure RTOS GUIX StudioMicrosoft Office, and the Hyper-V hypervisor included in the Windows operating system.
Another type of vulnerability with protagonism are the privilege escalations. Three such vulnerabilities have been found in the Exchange Server (CVE-2022-21980, CVE-2022-24477 Y CVE-2022-24516) that, when exploited, could be used to read specific email messages and download the attached files they contained. On the other hand, a publicly known security flaw has been patched in the same component (CVE-2022-30134) which opened the door to do the same.
The Tuesday Patch is responsible for correcting dozens of security flaws consisting of privilege escalations, 31 of which were found in Azure Site Recovery. This is in addition to what the company did a month ago, when it corrected thirty similar failures in the business continuity service, five in the direct storage spacesthree in the Windows kernel itself and two in the Print Spooler module.
The publication of these types of patches to fix a large number of vulnerabilities in batches are common among software solutions that reach a certain size. They also exist, although possibly published under other formats and with other cadences, for Linux distributions, Android, Adobe solutions, Intel products, etc.