Security Experts:

Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Microsoft on Tuesday released a critical-severity bulletin to warn of a newly discovered zero-day attack exploiting a remote code execution vulnerability in its flagship Windows operating system.

The vulnerability, tracked as CVE-2022-34713, affects the Microsoft Windows Support Diagnostic Tool (MSDT) and has been exploited by attackers tricking users into opening or interacting with specially crafted files.

Redmond confirmed pre-patch exploitation of the issue and acknowledged it is a variant of Dogwalk, a different security flaw that was publicly discussed in June this year.

Microsoft has struggled over the last year with security problems in the diagnostics tool. In May, the company’s security response team issued public guidance on the ongoing issues and the company believes there is an increase in hacker eyeballs looking for defects in the MSDT utility.

[ READ: Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader ]

The CVE-2022-34713 headlines a massive Microsoft Patch Tuesday that provides cover for at least 120 documented flaws in Windows and operating system components.

According to Zero Day Initiative, a company that closely tracks software flaw warnings, this is in addition to the 17 CVEs patched in Microsoft Edge (Chromium-based) and three patches related to secure boot from CERT/CC. That brings the total number of CVEs to 141.

Of the 121 new vulnerabilities patched in this monthly batch, 17 are rated 'critical' and 102 are rated 'important'. In addition to the zero-day under attack, Microsoft listed two of these vulnerabilities as publicly known.

Security experts are urging Windows fleet administrators to pay special attention to three of the bulletins that carry CVSS 9.8/10 severity scores. These include CVE-2022-30133 and CVE-2022-35744 that fix RCE problems in the Windows Point-to-Point Protocol (PPP); and CVE-2022-34691 that addresses a major privilege escalation issue in Active Directory Domain Services.

Related: Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader

Related: Microsoft Publishes Office Symbols to Improve Bug Hunting

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities

Related: Black Hat 2022: Ten Presentations Worth Your Time and Attention

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.