Microsoft Fixes Five Critical Security Flaws On Patch Tuesday |LINK|
According to Thomas Fritsch, SAP security researcher at Onapsis, Security Note #3223392 is the most critical of the three new high priority fixes. It plugs an unquoted service path vulnerability in SAP Business One, which received a 7.8 CVSS score.
Microsoft Fixes Five Critical Security Flaws On Patch Tuesday
Microsoft's latest failing came to light on Tuesday in a post that showed Microsoft taking five months and three patches before successfully fixing a critical vulnerability in Azure. Orca Security first informed Microsoft in early January of the flaw, which resided in the Synapse Analytics component of the cloud service and also affected the Azure Data Factory. It gave anyone with an Azure account the ability to access the resources of other customers.
Google has rolled out fixes for five security vulnerabilities in its Chrome web browser. These include one which Google says is being exploited in the wild (CVE-2021-4102), so we recommend upgrading to Chrome version 96.0.4664.110 immediately.
At the beginning of November, Mozilla released security vulnerability fixes for 14 total CVEs across Firefox, Firefox ESR, and Thunderbird. There were a lot of third-party releases at the end of October in addition to aforementioned Adobe updates. Google released an emergency update to patch eight vulnerabilities, two of which are high severity zero-days, for Windows, macOS, and Linux. In late October Apple released MacOS Monterey, along with iOS and iPadOS 15.1. Due to the dates of these releases, these figures are not included in the graphic to the left.
Adobe has posted a security update for Adobe Acrobat and Reader addressing 2 critical and 2 moderate vulnerabilities. Earlier in the month, Mozilla released five security advisories, all marked as high impact, for Thunderbird, Firefox ESR, and Firefox 93. Also earlier in the month, Google released a new Chrome version to fix four vulnerabilities, including two zero-days being actively exploited in the wild.
Microsoft's May Patch Tuesday saw 55 security fixes compared to 108 tallied in the month of April. We are currently tracking 4 critical vulnerabilities, none of which are being exploited in the wild to the best of our knowledge and vendor communications.
Adobe had a modest release of five security updates addressing a handful of vulnerabilities, nine of which are critical affecting Creative Cloud Desktop Application (APSB21-18), Connect (APSB21-19), Framemaker (APSB21-14), Animate (APSB21-21), and Photoshop (APSB21-17).
Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.
Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software.
The first Patch Tuesday of the year from Microsoft addresses 98 security vulnerabilities, with 10 classified as critical for Windows. One vulnerability (CVE-2023-21674) in a core section of Windows code is a zero-day that requires immediate attention. And Adobe has returned with a critical update, paired with a few low-profile patches for the Microsoft Edge browser.
Microsoft patched 62 CVEs in its September 2022 Patch Tuesday release, with five rated as critical and 57 rated as important. This count omits CVE-2022-23960, a cache speculation restriction vulnerability as it was issued by MITRE and applies to Arm CPUs.
Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).
Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.
Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.
A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.
Critical Flaws For the critical patches, client-side fixes with Remote Code Execution (RCE) implications remain prominent across a wide swath of applications such as Office and IE. Several versions of the Windows OS are also at issue this month.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris Third Party Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will be updated on the third Tuesday of the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates). In addition, Solaris Third Party Bulletins may also be updated for vulnerability patches deemed too critical to wait for the next scheduled publication date. Solaris Third Party Bulletins released before 2018 are available here.
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.