Microsoft has released patches for 141 flaws in its August 2022 Patch Tuesday update including two previously undisclosed (zero-day) flaws, of which one is actively being exploited.
The total patch count for the August 2022 Patch Tuesday Update actually includes 20 flaws in Edge that Microsoft had previously released fixes for, leaving 121 flaws affecting Windows, Office, Azure, .NET Core, Visual Studio and Exchange Server.
The Zero Day Initiative noted that the volume of fixes released this month is “markedly higher” than what is normally expected in an August release. “It’s almost triple the size of last year’s August release, and it’s the second largest release this year,” the bug hunting group said.
Microsoft addressed 17 critical flaws and 102 important flaws this month across. The fixes address 64 elevation of privilege flaws and 32 remote code execution flaws, as well as security feature bypasses and information disclosure flaws. Also, 34 of this month’s fixes address bugs in Azure Site Recovery, Microsoft’s disaster recovery toolset for the cloud.
The actively exploited bug is a remote code execution flaw affecting the Microsoft Windows Support Diagnostic Tool (MSDT), tracked as CVE-2022-34713. According to Microsoft, it is related to a bug that some in security researchers refer to as “Dogwalk“.
Researchers Imre Rad (@ImreRad) and @j00sean reported the Dogwalk bug to Microsoft in early-2020 but Microsoft didn’t address it until May this year when attackers began exploiting MSDT via malicious Word documents. Microsoft that month issued the identifier CVE-2022-30190 with mitigation steps, followed by a patch in mid-June and further defense-in-depth measures in July.
“We finally fixed the #DogWalk vulnerably. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it @j00sean @ImreRad,” tweeted Microsoft security researcher Jonathan Norman.
Microsoft says CVE-2022-34713 was discovered after public discussion prompted further scrutiny within and outside of Microsoft.
“In May, Microsoft released a blog giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft notes in its advisory.
It has a CVSSv3 base score of 7.8 because victims need to be tricked into opening a malicious file.
An information disclosure flaw in Exchange Server was publicly disclosed prior to Tuesday but hasn’t been exploited yet. Vulnerable on-premise Exchange Servers were one of the most targeted systems in 2021 thanks to the ProxyShell and ProxyLogon bugs.
Rapid 7 emphasizes that patching the Exchange Server flaw (CVE-2022-30134) will not prevent attackers from being able to read targeted email messages. Admins also need to enable Windows Extended protection to Exchange servers. Microsoft’s Exchange Team has detailed how to manually do this in a separate blogpost. There are patches for five more Exchange bugs that need to be applied to fully remediate this issue.
The firm also recommends patching patching CVE-2022-34715, a remote code execution flaw affecting Windows Network File System (NFS) version 4.1 on Windows Server 2022. It has a CVSSv3 score of 9.8. One notable flaw, CVE-2022-35797, is a bypass for Microsoft’s Windows Hello biometric authentication mechanism. An attacker would need physical access to exploit the bug, but could bypass Windows Hello if they did.
Security firm Ivanti notes that as of the August Patch Tuesday update, there are only six months of Extended Security Updates (ESU) remaining for Windows 7 and Windows Server 2008/2008R2. Microsoft in July flagged the end of support for the three additional years of Windows 7 ESUs after its end-of-life in 2020.
Also, after this month Microsoft no longer provides updates to the Windows Server Semi-Annual Channel (SAC). Windows Server 20H2 reached end-of-support on August 9 and is the last of the SAC versions.