Patch Tuesday overview.

Yesterday on this month’s Patch Tuesday, many vendors announced security patches for vulnerabilities.

Microsoft patches.

Microsoft announced 85 patches this month. Syxsense reports that 15 were marked critical, one was Public Aware, and one was a Weaponized Threat. It is reported that updates have been provided for “Azure, Azure Arc, and Azure DevOps, Microsoft Edge (Chromium-based), Office and Office Components, Visual Studio Code, Active Directory Domain Services and Active Directory Certificate Services & Hyper-V.”

Adobe patches.

Security Week reports that Adobe has launched 29 fixes across the suite. The vulnerabilities affect both Windows and MacOS users. Adobe products with updates released include ColdFusion 2021 and 2018, Adobe Commerce, Magento Open Source software, Adobe Dimension, and Adobe Acrobat and Reader.

SAP patches.

Onapsis reports that SAP released 23 new patches, including two HotNews Notes and six High Priority Notes. The first HotNews note “patches a very critical Path Traversal vulnerability in SAP Manufacturing Execution,” and affects the Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER) plugins. The second HotNews note targets an Account Hijacking vulnerability in the SAP Commerce login page.

CISA adds to Known Exploited Vulnerabilities Catalog.

The US Cybersecurity and Infrastructure Agency (CISA) has added one new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, CVE-2022-41033, involves Windows COM+ Event System Service.

Michael Assraf, CEO & Co-founder of Vicarius, said of the addition: “CISA did not waste any time adding an escalation of privilege vulnerability in Windows COM+ Event System Service to the KEV on the same day a patch was released.

"Microsoft has rated the severity as "Important" which is analogous to the High CVSS score it received. So although none of these organizations gave it a Critical rating, Microsoft's update guide paints a different picture. The attack complexity is low and user interaction is not required, making this an easy vulnerability to exploit. The silver lining is that the attack vector is local, so they'll need access to a regular user computer. But not all that glitters is gold, of course. The attacker will most likely reroute and target someone on the inside to exploit the vulnerability, e.g. tricking a legitimate user into opening a malicious document. So again, it will be crucial to remind employees (especially during National Cybersecurity Awareness Month) to stay vigilant and report any signs of phishing. An attacker can gain SYSTEM privileges, so it is important to install the updates as soon as possible.”