Today’s VERT Alert addresses Microsoft’s September 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1021 on Wednesday, September 14th.
In-The-Wild & Disclosed CVEs
The first disclosed vulnerability this month is Spectre-BHB that is discussed in great detail on arm Developer. The Microsoft update for this vulnerability only applies to Windows 11 for ARM64-based systems. It is likely that impacted systems are not widely deployed across most organizations.
A vulnerability in the Windows Common Log File System (CLFS) Driver allows for SYSTEM level code execution when successfully exploited on a system. This local vulnerability has already seen exploitation in-the-wild and was jointly reported by a number of organizations. The update for this vulnerability should be applied as soon as possible due to the active exploitation that is ongoing.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed are listed in red
|Windows IKE Extension||3||CVE-2022-34720, CVE-2022-34721, CVE-2022-34722|
|Windows Group Policy||1||CVE-2022-37955|
|Windows DPAPI (Data Protection Application Programming Interface)||1||CVE-2022-34723|
|Windows Common Log File System Driver||2||CVE-2022-35803, CVE-2022-37969|
|Microsoft Office SharePoint||4||CVE-2022-35823, CVE-2022-38008, CVE-2022-38009, CVE-2022-37961|
|Visual Studio Code||1||CVE-2022-38020|
|Windows Photo Import API||1||CVE-2022-26928|
|Microsoft Office Visio||2||CVE-2022-38010, CVE-2022-37963|
|Microsoft Graphics Component||5||CVE-2022-35837, CVE-2022-34728, CVE-2022-34729, CVE-2022-37954, CVE-2022-38006|
|SPNEGO Extended Negotiation||1||CVE-2022-37958|
|Windows Event Tracing||1||CVE-2022-35832|
|Windows Kernel||3||CVE-2022-37964, CVE-2022-37956, CVE-2022-37957|
|Network Device Enrollment Service (NDES)||1||CVE-2022-37959|
|Windows Remote Access Connection Manager||1||CVE-2022-35831|
|Microsoft Windows Codecs Library||2||CVE-2022-38011, CVE-2022-38019|
|Windows Remote Procedure Call||1||CVE-2022-35830|
|Windows ODBC Driver||5||CVE-2022-34726, CVE-2022-34727, CVE-2022-34730, CVE-2022-34732, CVE-2022-34734|
|Windows OLE||6||CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35840, CVE-2022-34731, CVE-2022-34733|
|Role: DNS Server||1||CVE-2022-34724|
|Windows Transport Security Layer (TLS)||2||CVE-2022-30196, CVE-2022-35833|
|.NET and Visual Studio||1||CVE-2022-38013|
|Windows Kerberos||2||CVE-2022-33679, CVE-2022-33647|
|Windows Credential Roaming Service||1||CVE-2022-30170|
|Windows Print Spooler Components||1||CVE-2022-38005|
|Microsoft Edge (Chromium-based)||16||
|Microsoft Windows ALPC||1||
|Role: Windows Fax Service||1||
|Windows LDAP – Lightweight Directory Access Protocol||1||
At the time of publication, there were no new advisories included with the September Security Guidance.