Microsoft released fixes for over 60 CVEs this month including two zero-day vulnerabilities, one of which is being actively exploited in the wild.
Microsoft released fixes for over 60 CVEs this month including two zero-day vulnerabilities, one of which is being actively exploited in the wild.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The September Patch Tuesday release brings fewer total fixes than previous months, only 64 total with 6 marked as critical severity and the rest as important severity. That should put applying all Microsoft patches released this month, including cumulative updates, comfortably within established patching windows. The only vulnerability under active exploitation is an elevation of privilege, CVE-2022-37969, which could allow for an attacker to run as SYSTEM. That should put it toward the top of any prioritization lists. Consider taking this month’s hopefully lower workload around patching to audit your environments and make sure nothing has fallen off the radar and hasn’t been getting appropriate updates.
This is a relatively small update in comparison to last month’s 141 fixes, but it does address two zero-days, one of which is being exploited in the wild, so organisations must prioritise applying these fixes. There are also flaws which involve elevation of privileges and remote code execution, which, when exploited, can open doors into networks for attackers.
This latest update once again highlights the importance of Autopatch, where Microsoft has removed the burden of updates from organisations.
Autopatch should make these updates seamless for most organisations and they won’t need to worry about their systems. For those that have not enabled the feature, and can benefit from it, it is advised to turn it on now.
However, when Autopatch is not practicable, it is critical to have a well-oiled patch management process that identifies patches, even ones that come out before Patch Tuesdays. These patches should be applied to all affected systems all within 14 days, which is the Cyber Essentials requirement, or sooner.
As soon as exploitable patches are released, attackers start scanning for vulnerable systems that very day. So, the clock is already ticking.