The latest Patch Tuesday from Microsoft included security updates released to patch a total of 63 vulnerabilities. This includes 5 vulnerabilities that have been given a ‘critical’ severity rating, due to the possibility of an exploit of these flaws resulting in remote code execution (RCE) on the target device. Two of these are zero-day flaws, and the other three are newly discovered RCE vulnerabilities. All are present in devices running either Microsoft Windows 10 or Microsoft Windows 11.  

Two of the critical RCE vulnerabilities patched in this update are found in the Windows Internet Key Exchange (IKE) protocol extensions and can be remotely exploited by an unauthorised attacker with no user interaction necessary. CVE-2022-34722 and CVE-2022-34721 are distinct from one another, but can be exploited in the same way, and have both been given the base CVSS severity score of 9.8/10. Both flaws allow for an attacker to send a crafted IP packet to a target device running Windows with IPSec enabled, resulting in remote code execution. These vulnerabilities affect IKE version IKEv1 only, not IKEv2, however all Windows Servers accept both v1 and v2 packets, meaning all devices can be affected. Potential exploitation of the other critical RCE vulnerability, tracked as CVE-2022-34718, also affects devices with IPSec enabled. This is a Windows TCP/IP vulnerability that can allow unauthenticated attackers to send an IPv6 packet to the Windows node with IPSec enabled, resulting in RCE on affected the device.  

The first zero-day patched in this update is CVE-2022-37969, which is known to be publicly disclosed, and actively exploited. This is a Windows common log file system driver elevation of privilege vulnerability that can allow an attacker to gain SYSTEM privileges on the affected device. However, an exploit of this vulnerability first requires attackers to already have the ability to run code on the target device, and this vulnerability does not allow for RCE, this has been given a ‘high’ severity rating of 7.8/10. The other publicly disclosed zero-day vulnerability that has been patched is CVE-2022-23960. This is a ‘medium’ severity vulnerability, affecting some Arm Cortex and Neoverse processors. Attackers can potentially exploit the not properly restricted cache in Spectre-BHB, and cause mispredicted branches in the Branch History Buffer (BHB). This could allow for attackers to gather sensitive information from the affected device, however this is not believed to be currently exploited. 

All of these vulnerabilities have been addressed in Microsoft’s September 13th Patch Tuesday updates. Microsoft’s Security Update Guide contains a full list of the updates that are available to download, and the security vulnerability they address in each product.