Microsoft has released patches for 141 flaws in its August 2022 Patch Tuesday update including two previously undisclosed (zero-day) flaws, of which one is actively being exploited.
The total patch count for the August 2022 Patch Tuesday Update actually includes 20 flaws in Edge that Microsoft had previously released fixes for, leaving 121 flaws affecting Windows, Office, Azure, .NET Core, Visual Studio and Exchange Server.
The Zero Day Initiative noted that the volume of fixes released this month is "markedly higher" than what is normally expected in an August release. "It's almost triple the size of last year's August release, and it's the second largest release this year," the bug hunting group said.
Microsoft addressed 17 critical flaws and 102 important flaws this month across. The fixes address 64 elevation of privilege flaws and 32 remote code execution flaws, as well as security feature bypasses and information disclosure flaws. Also, 34 of this month's fixes address bugs in Azure Site Recovery, Microsoft's disaster recovery toolset for the cloud.
The actively exploited bug is a remote code execution flaw affecting the Microsoft Windows Support Diagnostic Tool (MSDT), tracked as CVE-2022-34713. According to Microsoft, it is related to a bug that some in security researchers refer to as "Dogwalk".
Microsoft says CVE-2022-34713 was discovered after public discussion prompted further scrutiny within and outside of Microsoft.
"In May, Microsoft released a blog giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk," Microsoft notes in its advisory.
It has a CVSSv3 base score of 7.8 because victims need to be tricked into opening a malicious file.
An information disclosure flaw in Exchange Server was publicly disclosed prior to Tuesday but hasn't been exploited yet. Vulnerable on-premise Exchange Servers were one of the most targeted systems in 2021 thanks to the ProxyShell and ProxyLogon bugs.
Rapid 7 emphasizes that patching the Exchange Server flaw (CVE-2022-30134) will not prevent attackers from being able to read targeted email messages. Admins also need to enable Windows Extended protection to Exchange servers. Microsoft's Exchange Team has detailed how to manually do this in a separate blogpost. There are patches for five more Exchange bugs that need to be applied to fully remediate this issue.
The firm also recommends patching patching CVE-2022-34715, a remote code execution flaw affecting Windows Network File System (NFS) version 4.1 on Windows Server 2022. It has a CVSSv3 score of 9.8. One notable flaw, CVE-2022-35797, is a bypass for Microsoft's Windows Hello biometric authentication mechanism. An attacker would need physical access to exploit the bug, but could bypass Windows Hello if they did.