September, 2022: Patch Tuesday - Two Zero Days; Five Critical

Welcome to my September Patch Tuesday newsletter.  It's an average month with Microsoft releasing patches for 90 different CVE's of which 5 are rated as critical.  There are two zero days (highlighted in bold) in the chart below.  One of them (highlighted with ***) has been detected as already being actively exploited in the wild.  So you will want to apply these updates as soon as possible and make sure the pending reboots happen ASAP.  You will notice that I have also highlighted some CVE's with orange in italics.  These have been given an exploitability assessment by Microsoft rated "Exploitation More Likely".  So please make sure these get applied as soon as possible.  If you have Dynamics 9.0 or 9.1 installed on-prem, then you'll want to make sure both critical updates get applied very soon.  Microsoft reports that an attacker could run specially crafted trusted solution packages to gain db_owner to your Dyanmics database.  Keep in mind that the OS updates in the chart below also apply to Server Core installations.  Make sure those don't get looked over.

Patch data provided by:

LOGbinder.com

Technology

Products Affected

Severity

Reference

Workaround/ Exploited / Publicly Disclosed

Vulnerability Info

Windows

Windows 7, 8.1, RT 8.1, 10, 11

Server 2008 SP2, 2008R2 SP1, 2012, 2012 R2, 2016, 2019, 2022 including Server Core Installations

2022 Azure Edition Hotpatch

AV1 Video Extension

Raw Image Extension

Critical

CVE-2022-23960
CVE-2022-26928
CVE-2022-30170
CVE-2022-30196
CVE-2022-30200
CVE-2022-33647
CVE-2022-33679
CVE-2022-34711
CVE-2022-34718
CVE-2022-34719
CVE-2022-34720
CVE-2022-34721
CVE-2022-34722
CVE-2022-34723
CVE-2022-34724
CVE-2022-34725
CVE-2022-34726
CVE-2022-34727
CVE-2022-34728
CVE-2022-34729
CVE-2022-34730
CVE-2022-34731
CVE-2022-34732
CVE-2022-34733
CVE-2022-34734
CVE-2022-35803
CVE-2022-35822
CVE-2022-35830
CVE-2022-35831
CVE-2022-35832
CVE-2022-35833
CVE-2022-35834
CVE-2022-35835
CVE-2022-35836
CVE-2022-35837
CVE-2022-35838
CVE-2022-35840
CVE-2022-35841
CVE-2022-37954
CVE-2022-37955
CVE-2022-37956
CVE-2022-37957
CVE-2022-37958
CVE-2022-37959
CVE-2022-37964
CVE-2022-37969***
CVE-2022-38004
CVE-2022-38005
CVE-2022-38006
CVE-2022-38011
CVE-2022-38019

Workaround: No
Exploited: Yes***
Public: Yes

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Edge

Chromium-based

Low

CVE-2022-2852
CVE-2022-2853
CVE-2022-2854
CVE-2022-2855
CVE-2022-2856
CVE-2022-2857
CVE-2022-2858
CVE-2022-2860
CVE-2022-2861
CVE-2022-3038
CVE-2022-3039
CVE-2022-3040
CVE-2022-3041
CVE-2022-3044
CVE-2022-3045
CVE-2022-3046
CVE-2022-3047
CVE-2022-3053
CVE-2022-3054
CVE-2022-3055
CVE-2022-3056
CVE-2022-3057
CVE-2022-3058
CVE-2022-3075
CVE-2022-38012

Workaround: No
Exploited: No
Public: No

Remote Code Execution

Office

365 Apps for Enterprise

Office 2013 RT SP1, 2013 SP1, 2016, 2019, LTSC 2021

2019 for Mac, LTSC Mac 2021

Visio 2013 SP1, 2016

Important

CVE-2022-37962
CVE-2022-37963
CVE-2022-38010

Workaround: No
Exploited: No
Public: No

Remote Code Execution

SharePoint

Enterprise Server 2013 SP1, 2016

Foundation 2013 SP1

Server 2019

Server Subscription Edition including Language Pack

Important

CVE-2022-35823
CVE-2022-37961
CVE-2022-38008
CVE-2022-38009

Workaround: No
Exploited: No
Public: No

Remote Code Execution

Azure

Arc

Guest Configuration

Important

CVE-2022-38007

Workaround: No
Exploited: No
Public: No

Elevation of Privilege

Visual Studio

2019 16.11 and earlier

2022 17.3, 17.2, 17.0

2022 for Mac 17.3

VS Code

Important

CVE-2022-38013
CVE-2022-38020

Workaround: No
Exploited: No
Public: No

Denial of Service

Elevation of Privilege

.NET

Core 3.1

6.0

Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.6,  4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1

Important

CVE-2022-26929
CVE-2022-38013

Workaround: No
Exploited: No
Public: No

Denial of Service

Remote Code Execution

Dynamics

CRM 9.0/9.1 on-prem

Critical

CVE-2022-34700
CVE-2022-35805

Workaround: No
Exploited: No
Public: No

Remote Code Execution

System Center

Defender for Endpoint for Mac

Important

CVE-2022-35828

Workaround: No
Exploited: No
Public: No

Elevation of Privilege