IT admins will need to patch 121 critical vulnerabilities this month as part of Microsoft’s monthly security patches, which is notably higher than what is typically expected of an August security release.
According to Zero Day Initiative (ZDI), the security bugs fixed this month affect Azure Batch Node Agent, Real Time Operating System, Site Recovery, and Sphere; Microsoft Dynamics; Microsoft Edge (Chromium-based); Exchange Server; Office and Office Components; PPTP, SSTP, and Remote Access Service PPTP; Hyper-V; System Center Operations Manager; Windows Internet Information Services; Print Spooler Components; and Windows Defender Credential Guard.
Of the 121 new vulnerabilities, two are listed as publicly known, and one is under active attack, according to Microsoft’s release. Seventeen are rated critical, 102 are rated important, one is rated moderate and one is rated low in severity.
Here’s a look at some of the more notable ones admins should prioritize patching, according to ZDI:
CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
This is another MSDT bug under active exploitation. Like a previous one patched this year, this also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word, according to ZDI.
Threat actors would need to convince a user to click a link or open a document. It’s unclear if this a result of a failed patch, but admins should test and deploy this one quickly.
CVE-2022-35804 – SMB Client and Server Remote Code Execution Vulnerability
According to ZDI, the server side of this bug would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. However, this bug only impacts Windows 11, which ZDI notes implies some new functionality introduced this vulnerability.
This vulnerability could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but admins should just apply to remediate the vulnerability.
CVE-2022-21980/24516/24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
There are three critical-rated Exchange elevation of privilege flaws this month that could allow an authenticated attacker to take over mailboxes of all Exchange users. Attackers could then read and send email, download attachments from any mailbox on the server. Admins will need to enable Extended Protection to fully address these vulnerabilities, ZDI notes.
CVE-2022-34715 – Windows Network File System Remote Code Execution Vulnerability
This is the fourth NFS code execution bug in many months, and ZDI implies that this may be the most severe of them. A remote unauthenticated attacker would need to make a specially crafted call to an affected NFS server, providing them with code execution at elevated privileges. While Microsoft rates this as important, ZDI suggests treating it as critical.
CVE-2022-35742 – Microsoft Outlook Denial of Service Vulnerability
This bug would allow attackers to send a crafted email to a victim and cause their Outlook application to terminate. Upon restart, Outlook will terminate again once it retrieves and processes the invalid message. Victim’s don’t even need to open the message or use the Reading pane, according to ZDI. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook, researchers say.