By Jon Munshaw and Vanja Svajcer.
Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  
This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  
In all, August’s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” 
Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited. 
Microsoft Exchange Server contains two critical elevation of privilege vulnerabilities, CVE-2022-21980 and CVE-2022-24477. An attacker could exploit this vulnerability by tricking a target into visiting a malicious, attacker-hosted server or website. In addition to applying the patch released today, potentially affected users should enable Extended Protection on vulnerable versions of the server. 

The Windows Point-to-Point Tunneling Protocol is also vulnerable to three critical vulnerabilities. Two of them, CVE-2022-35744 and CVE-2022-30133, could allow an attacker to execute remote code on an RAS server machine. The other, CVE-2022-35747, could lead to a denial-of-service condition. CVE-2022-35744 has a CVSS severity score of 9.8 out of 10, one of the highest-rated vulnerabilities this month. An attacker could exploit these vulnerabilities by communicating via Port 1723. Affected users can render these issues unexploitable by blocking that port, though it runs the risk of disrupting other legitimate communications. 
Another critical code execution vulnerability, CVE-2022-35804, affects the SMB Client and Server and the way the protocol handles specific requests. An attacker could exploit this on the SMB Client by configuring a malicious SMBv3 server and tricking a user into connecting to it through a phishing link. It could also be exploited in the Server by sending specially crafted packets to the server.  
Microsoft recommended that users block access to Port 445 to protect against the exploitation of CVE-2022-35804. However, only certain versions of Windows 11 are vulnerable to this issue. 
Talos would also like to highlight eight important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  


CVE-2022-34699: Win32k elevation of privilege vulnerability 
CVE-2022-35748: HTTP.sys denial-of-service vulnerability 
CVE-2022-35750: Win32k elevation of privilege vulnerability 
CVE-2022-35751: Windows Hyper-V elevation of privilege vulnerability 
CVE-2022-35755: Windows print spooler elevation of privilege vulnerability 
CVE-2022-35756: Windows Kerberos elevation of privilege vulnerability 
CVE-2022-35761: Windows Kernel elevation of privilege vulnerability 
CVE-2022-35793: Windows Print Spooler elevation of privilege vulnerability 


A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60371 - 60384, 60386 and 60387. There are also Snort 3 rules 300233 - 300239.

_By Jon Munshaw and Vanja Svajcer._

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  

This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  

In all, August’s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” 

Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited.

Microsoft Exchange Server contains two critical elevation of privilege vulnerabilities, CVE-2022-21980 and CVE-2022-24477. An attacker could exploit this vulnerability by tricking a target into visiting a malicious, attacker-hosted server or website. In addition to applying the patch released today, potentially affected users should enable Extended Protection on vulnerable versions of the server. 

The Windows Point-to-Point Tunneling Protocol is also vulnerable to three critical vulnerabilities. Two of them, CVE-2022-35744 and CVE-2022-30133, could allow an attacker to execute remote code on an RAS server machine. The other, CVE-2022-35747, could lead to a denial-of-service condition. CVE-2022-35744 has a CVSS severity score of 9.8 out of 10, one of the highest-rated vulnerabilities this month. An attacker could exploit these vulnerabilities by communicating via Port 1723. Affected users can render these issues unexploitable by blocking that port, though it runs the risk of disrupting other legitimate communications. 

Another critical code execution vulnerability, CVE-2022-35804, affects the SMB Client and Server and the way the protocol handles specific requests. An attacker could exploit this on the SMB Client by configuring a malicious SMBv3 server and tricking a user into connecting to it through a phishing link. It could also be exploited in the Server by sending specially crafted packets to the server.  

Microsoft recommended that users block access to Port 445 to protect against the exploitation of CVE-2022-35804. However, only certain versions of Windows 11 are vulnerable to this issue. 

Talos would also like to highlight eight important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  

*   CVE-2022-34699: Win32k elevation of privilege vulnerability 
*   CVE-2022-35748: HTTP.sys denial-of-service vulnerability 
*   CVE-2022-35750: Win32k elevation of privilege vulnerability 
*   CVE-2022-35751: Windows Hyper-V elevation of privilege vulnerability 
*   CVE-2022-35755: Windows print spooler elevation of privilege vulnerability 
*   CVE-2022-35756: Windows Kerberos elevation of privilege vulnerability 
*   CVE-2022-35761: Windows Kernel elevation of privilege vulnerability 
*   CVE-2022-35793: Windows Print Spooler elevation of privilege vulnerability 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 60371 - 60384, 60386 and 60387. There are also Snort 3 rules 300233 - 300239.

Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities 

The computing giant issued a massive Patch Tuesday update, including a pair of remote execution flaws in the Microsoft Support Diagnostic Tool (MSDT) after attackers used one of the vulnerabilities in a zero-day exploit.

Microsoft patched 118 vulnerabilities in its software products and components on Aug. 9, including a flaw that attackers have exploited in the wild to run malicious code when users click on a link, according to security experts. 

The patches, part of Microsoft's regularly scheduled Patch Tuesday, fixed the zero-day vulnerability (CVE-2022-34713) and a second remote code execution (RCE) vulnerability (CVE-2022-35743) in the Microsoft Support Diagnostic Tool (MSDT) that has not yet been exploited. 

The MSDT vulnerabilities are a variant of an issue that researchers have called "DogWalk," public discussion of which began about 18 months ago, although it has been exploited only recently, Satnam Narang, a staff research engineer at cybersecurity firm Tenable, tells Dark Reading.

The MSDT vulnerabilities give attackers the ability to use the MSDT protocol through a URL contained in a document — such as a Microsoft Office Word file — that, when clicked, will execute code in the security context of the application.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft stated in its advisory for the previous MSDT exploit. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."

Security teams that cannot apply the patch can disable the MSDT URL protocol, update their Microsoft Defender detections, or rely on Protected View and Application Guard for Office to prevent the current attacks.

The zero-day vulnerability, and a previous one exploited in May, are being used by attackers in phishing campaigns, Narang says.

"\[I\]t would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spear-phishing attacks," he says. "We've seen flaws ... continue to be exploited years after patches have been made available. Therefore, it is vital that organizations apply the available patches as soon as possible."

**Security Teams Wrestle with Patching Tsunami**

The tranche of updates fixes 17 vulnerabilities rated critical and 101 rated important. Elevation-of-privilege issues dominated the patches, accounting for 64 of the CVEs, while RCE vulnerabilities make up 31 of the 118 security issues fixed in the software updates, according to Tenable's analysis of the updates. Information-disclosure vulnerabilities account for 12 of the patched vulnerabilities, and denial-of-service issues account for seven vulnerabilities. Another three vulnerabilities allowed security features to be bypassed.

The vulnerabilities — along with another 25 flaws issued by Adobe on the same day and nearly 20 issues released for Microsoft's Edge browser on Friday — highlight the workload faced by security teams on Patch Tuesday. 

"The volume of fixes released this month is markedly higher than what is normally expected in an August release," Dustin Childs, security communications manager for Trend Micro's Zero Day Initiative, wrote in a review of the updates released on Patch Tuesday. "It’s almost triple the size of last year's August release, and it's the second largest release this year."

Some companies have reported that Microsoft fixed 121 flaws, rather than 118, but that tally includes three issues in Windows Secure Boot that previously were reported through the CERT Coordination Center and are updates to third-party drivers, according to Tenable's analysis.

While the MSDT vulnerabilities are the most critical to fix, more than a third of the vulnerabilities fixed by the patches occur in local components of Microsoft Azure, including 34 vulnerabilities in Azure Site Recovery software, eight flaws in the Azure Real Time Operating Systems, and a single vulnerability for Azure Sphere and the Azure Batch Node Agent.

The updates also fix vulnerabilities in the code handling older tunneling protocols, such as Point-to-Point Protocol (PPP) and Secure Socket Tunneling Protocol (SSTP), including four vulnerabilities affecting Windows PPP and nine affecting the SSTP functionality.

"These are older protocols that should be blocked at your perimeter," Trend Micro's Childs wrote in the ZDI analysis of the patches. "However, if you're still using one of these, it’s probably because you need it, so don’t miss these patches."

**Adobe Patch Tuesday**

Microsoft is not the only company to drop significant monthly patches. Adobe also published updates to fix 25 vulnerabilities in five different products, including Adobe Commerce, Adobe Acrobat and Reader, Adobe Illustrator, Adobe FrameMaker, and Adobe Premier Elements.

"None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release," Childs wrote. "Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2."

Microsoft Patches Zero-Day Actively Exploited in the Wild

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35743.

CVE-2022-34713

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2022-33636

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.

CVE-2022-35796

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.

CVE-2022-33649

Microsoft Office Remote Code Execution Vulnerability.

CVE-2022-34717

Microsoft Excel Remote Code Execution Vulnerability.

CVE-2022-33648

Microsoft Exchange Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-21979, CVE-2022-34692.

CVE-2022-30134

Microsoft Excel Security Feature Bypass Vulnerability.

Tag

#microsoft