The patches released address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.
This release comes on top of 15 patches for CVEs in Microsoft Edge (Chromium-based) and one patch for side-channel speculation in Arm processors, as noted by Zero Day Initiative.
The one exploited CVE disclosed on Patch Tuesday impacts the Windows Common Log File System Driver. To exploit it, the attacker must already have access to the system and the ability to run code on it. It allows the attacker to gain new privileges, thereby enabling them to run an attack.
"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," Zero Day Initiative notes. "Once they do, additional code executes with elevated privileges to take over a system."
Microsoft acknowledged researchers from DBAPPSecurity, Mandiant, CrowdStrike and Zscaler for identifying this vulnerability.
The five critical CVEs disclosed on Tuesday were all Remote Code Execution (RCE) vulnerabilities. Of those, two impact on-premise versions of Microsoft Dynamics 365. These CVEs let an authenticated user run a specially crafted trusted solution package to execute arbitrary SQL commands. From there, the attacker could escalate and execute commands as db_owner within their Dynamics 365 database.
Two more of the critical CVEs impact Windows Internet Key Exchange (IKE) Protocol Extensions, allowing an unauthenticated attacker to send a specially crafted IP packet to a target machine.
The last critical CVE impacts Windows TCP/IP, allowing an unauthenticated attacker to send a specially crafted IPv6 packet to a Windows node where IPSec is enabled.