Microsoft has released its October 2022 Patch Tuesday security updates to address more than 80 security vulnerabilities in its various software products. While the Windows maker did not include fixes for the two recently disclosed MS Exchange zero-day flaws, there was a patch for another zero-day flaw CVE-2022-41033 affecting the Windows COM service.
CVE-2022-41033 is a buffer overflow issue that allows a local user to escalate privileges on the system. The vulnerability exists due to a boundary error within the Windows COM+ Event System Service. A local attacker can trigger memory corruption and execute arbitrary code with SYSTEM privileges. The vulnerability affects all versions of Windows starting with Windows 7 and Windows Server 2008.
Microsoft didn’t provide any details on how the bug is being exploited, or was it used in targeted or more widespread attacks. The vendor only noted that the attack complexity is low and that it requires no user interaction for the attacker to be able to achieve SYSTEM privileges.
Besides CVE-2022-41033, this month’s Patch Tuesday fixes a previously disclosed Microsoft Office vulnerability (CVE-2022-41043), which puts at risk user tokens and other potentially sensitive information, as well as a number of high-risk security issues in Microsoft Azure, Word, Office, Microsoft Windows CD-ROM File System Driver, and other software products.
The unpatched MS Exchange flaws, collectively known as "ProxyNotShell," are described as a server-side request forgery issue that can be exploited for privilege escalation (CVE-2022-41040) and a remote code execution flaw when PowerShell is accessible to the attacker (CVE-2022-41082).
Microsoft did not provide a timeline for when the Exchange Server fixes will be available to Windows users.