Microsoft released fixes for a Windows zero-day and a publicly disclosed vulnerability on October Patch Tuesday but security updates for two Exchange Server zero-days discovered last month are still in limbo.
In total, Microsoft addressed 89 unique CVEs this month with five of the security updates rereleased from August to address issues affecting Exchange Server functionality. Thirteen of the October Patch Tuesday security updates were rated critical.
Windows zero-day tops the patching priority list
The Windows zero-day is a Windows COM+ Event System Service elevation-of-privilege vulnerability (CVE-2022-41033) rated important. This bug does not require user interaction and a successful exploit of the vulnerability could give the attacker system privileges.
Chris Goettl
This zero-day affects every supported Windows OS, including Windows 7 and Windows Server 2008/R2 in the Extended Security Updates program, which should provide extra incentive for administrators to deploy the October Patch Tuesday fixes promptly.
“It’s only rated important, but because it’s been exploited in the wild, there’s a higher risk associated with it. People should be prioritizing this more urgently,” said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company.
Outlook for Mac public disclosure resolved
The public disclosure is a Microsoft Office information disclosure vulnerability (CVE-2022-41043) rated important for two products running on macOS: Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. This bug specifically targets Outlook for Mac, and Microsoft stipulated the preview pane was not an attack vector for the vulnerability. Upon a successful exploit of this flaw, an attacker could retrieve user tokens or other sensitive information. The Common Vulnerability Scoring System (CVSS) rating is relatively low at 3.3, which indicates ..
Support the originator by clicking the read the rest link below.
