Rapid7 says that fixing the Exchange Server bug (CVE-2022-30134) won’t stop attackers from reading targeted email messages.
The company also suggests fixing CVE-2022-34715, a flaw in Windows Network File System (NFS) version 4.1 on Windows Server 2022 that lets remote code run.
In its August 2022 Patch Tuesday update, Microsoft fixed 141 bugs, including two previously unknown (zero-day) bugs, of which one is already being exploited by hackers.
The August 2022 Patch Tuesday Update includes fixes for 20 bugs in Edge that Microsoft had already fixed, leaving 121 bugs in Windows, Office, Azure, .NET Core, Visual Studio, and Exchange Server.
The Zero Day Initiative said that the number of fixes released this month is “markedly higher” than expected for an August release. The bug hunting group said, “It’s almost three times as big as August’s release last year, and it’s the second biggest release this year.”
This month, Microsoft fixed 17 critical and 102 crucial bugs. The fixes address 64 elevations of privilege flaws and 32 remote code execution flaws, as well as security feature bypasses and information disclosure flaws. Also, 34 of this month’s fixes address bugs in Microsoft’s disaster recovery tools for the cloud, Azure Site Recovery.
The actively exploited bug is a remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT), tracked as CVE-2022-34713. Microsoft says it has to do with a bug that some security researchers call “Dogwalk.”
Two researchers reported the Dogwalk bug to Microsoft in early 2020; the company didn’t fix it until May this year when attackers started using malicious Word documents to exploit MSDT. In the same month, Microsoft issued the CVE-2022-30190 identifier with steps to fix the problem. This was followed by a patch in the middle of June and more defense-in-depth steps in July.
Microsoft says that CVE-2022-34713 was found after public discussion made people inside and outside of Microsoft investigate it more.
“In May, Microsoft released a blog giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft noted in its advisory.
Last month, Google also fixed a Dogwalk bug (CVE-2022-2622) issue in Chrome. It severely affected Chrome’s Safe Browsing, Google’s security service.
A flaw in Exchange Server that lets information leak out was made public before Tuesday, but it hasn’t been used yet. Due to the ProxyShell and ProxyLogon bugs, vulnerable on-premises Exchange Servers that were easy to hack were one of the most-targeted systems in 2021.
Rapid7 believes that fixing the Exchange Server bug (CVE-2022-30134) won’t stop attackers from reading targeted email messages. Administrators also need to turn on Windows Extended Security for Exchange Servers. The Microsoft Exchange Team explains how to do this manually in a separate blog post. Before this problem is fully fixed, five more Exchange bugs must be fixed with patches.
The company also suggests fixing CVE-2022-34715, a flaw in Windows Network File System (NFS) version 4.1 on Windows Server 2022 that lets remote code run. The CVSSv3 score for it is 9.8. CVE-2022-35797 is a notable flaw that allows people to get around Microsoft’s biometric authentication system, Windows Hello. An attacker would need physical access to use the bug, but they could get around Windows Hello if they did.
Ivanti, a security company, says that as of the August Patch Tuesday update, Windows 7 and Windows Server 2008/2008R2 have only six months left of Extended Security Updates (ESU). Microsoft announced in July that it would stop supporting Windows 7 for three more years after its end in 2020.
Microsoft will also stop giving updates to the Windows Server Semi-Annual Channel (SAC) at the end of this month. Support for Windows Server 20H2 ended on August 9, and it is the last SAC version.