[German]On September 13, 2022, Microsoft released security updates for Windows clients and servers, for Office, etc. – as well as for other products – were released. The security updates also eliminate 63 vulnerabilities, 5 of which are critical and one 0-day vulnerability. Below is a compact overview of these updates released on patchday.
A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Notes on the updates
Windows 10 version 20H2 to 21H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on how to enable the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
All Windows 10 updates are cumulative. The monthly patchday update includes all security fixes for Windows 10 and all non-security fixes through patchday. In addition to vulnerability security patches, the updates include security enhancement measures. Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 3rd year ESU license (or bypass measures) will still receive updates. With the current ESU bypass lets install the update. Updates can also be downloaded from the Microsoft Update Catalog. The updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.
Vulnerabilities fixed
The September 2022 security updates fix 63 vulnerabilities, including 5 critical and one 0-day vulnerability. A list of all covered CVEs can be found on this Microsoft page. Tenable also has this blog post with an overview of the fixed vulnerabilities. Here are some important and critical vulnerabilities:
- CVE-2022-37969: Windows Common Log File System Driver Elevation of Privilege Vulnerability, Important, EoP vulnerability in the Windows Common Log File System (CLFS) driver. According to Microsoft, this vulnerability has already been exploited. They also point out that it was publicly disclosed before a patch was available.
- CVE-2022-24521: Important, a similar vulnerability in CLFS, was patched earlier this year as part of Microsoft's Patch Tuesday release in April. The CVE-2022-24521 vulnerability was reported to Microsoft by the National Security Agency (NSA) and CrowdStrike, which has also been exploited in the wild. CVE-2022-37969 has been attributed to multiple groups, including CrowdStrike, although it is currently unclear whether CVE-2022-37969 may be a workaround for patching CVE-2022-24521.
- CVE-2022-34718: an RCE in Windows TCP/IP that received a CVSSv3 score of 9.8 and was rated "Exploitation More Likely" according to Microsoft's Exploitability Index. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled. If successfully exploited, an unauthenticated attacker could gain remote code execution. Microsoft has released patches for all supported versions of Windows, including Server Core editions.
- CVE-2022-34721 und CVE-2022-34722: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability, Critical, RCE vulnerabilities in the Windows IKE protocol extensions, which received a CVSSv3 score of 9.8 and were rated as Exploitation Less Likely. The IKE protocol is a component of IPsec used to establish security connections (relationships between devices based on shared security attributes). These vulnerabilities would allow an unauthenticated, remote attacker to send a specially crafted IP packet to a target with IPsec enabled and achieve remote code execution. IPsec is used to protect sensitive data and is often used in virtual private networks. Below is the list of critical and important security updates – details of which will be reported in separate blog posts.
- CVE-2022-37956, CVE-2022-37957 und CVE-2022-37964: Windows Kernel Elevation of Privilege Vulnerability, Important, EoP vulnerabilities affecting the Windows kernel. All three vulnerabilities received CVSSv3 scores of 7.8 and could allow an attacker to gain SYSTEM-level privileges if exploited. Of the three vulnerabilities, only CVE-2022-37957 was rated as Exploitation More Likely. Oddly enough, all three affect different versions of Windows. For example, CVE-2022-37964 only affects Windows 7, Windows Server 2008 and 2008 R2. CVE-2022-37956 affects all supported versions of Windows and Windows Server, while CVE-2022-37957 affects only Windows 10 and later, including Windows Server versions 2016, 2019 and 2022.
The colleagues from Bleeping Computer have published a complete list of all patched CVE vulnerabilities here. Below is the list of patched products:
Critical Security Updates
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2022 Azure Edition Core Hotpatch
Microsoft Dynamics CRM (on-premises) 9.0
Microsoft Dynamics CRM (on-premises) 9.1
Important Security Updates
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office LTSC for Mac 2021
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
SharePoint Server Subscription Edition Language Pack
Microsoft Visio 2013 Service Pack 1 (32-bit editions)
Microsoft Visio 2013 Service Pack 1 (64-bit editions)
Microsoft Visio 2016 (32-bit edition)
Microsoft Visio 2016 (64-bit edition)
Visual Studio 2022 for Mac version 17.3
Visual Studio Code
.NET 6.0
.NET Core 3.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 3.5 AND 4.8.1
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Microsoft .NET Framework 4.8.1
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 – 16.10)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 – 16.8)
Microsoft Visual Studio 2022 version 17.0
Microsoft Visual Studio 2022 version 17.2
Microsoft Visual Studio 2022 version 17.3
AV1 Video Extension
Raw Image Extension
Azure ARC
Azure Guest Configuration
Microsoft Defender for Endpoint for Mac
Similar articles:
Microsoft Office Updates with fix for Excel bug (September 6, 2022)
Microsoft Security Update Summary (September 13, 2022)
Patchday: Windows 10-Updates (September 13, 2022)
Patchday: Windows 11/Server 2022-Updates (September 13, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (September 13, 2022)
Patchday: Microsoft Office Updates (September 13, 2022)
cookie settings are not be able to set in Duckduckgo mobile with browsing protection set on.