No Exchange Patches But TLS Issues - Information Security Asia

On patch day in October 2022, Microsoft will again be releasing over 80 patches. These do not include any updates for the recently discovered vulnerabilities in Exchange, but there are two updates for publicly known leaks that should be installed as a matter of urgency.

The patch day in October 2022 brings almost 80 patches from Microsoft again. These include two updates classified as important that close publicly known security gaps that are already under attack. Microsoft is not closing the security gaps in Exchange that have recently become known on patch day, the updates for them are apparently not yet ready.

Tip for securing Exchange servers

Exchange admins should always have the latest updates for Exchange installed, especially the latest cumulative update for the relevant Exchange version. This includes the Emergency Mitigation Service, which helps to close security gaps. The gaps were uncovered by two researchers from the security company GTSC. All Exchange versions from Exchange Server 2013 are affected. Microsoft also warns of the vulnerability in a separate blog post.

Exploit available: vulnerability in Windows 10/11 and Windows Server 2019/2022 and older

The vulnerability CVE-2022-41033 (Windows COM+ Event System Service Elevation of Privilege Vulnerability) is public and exploits for it already exist. The vulnerability applies to all current Windows and Windows Server versions, up to Windows 10 and Windows 11 as well as Windows Server 2019 and Windows Server 2022.

READ: What is the MITER Att&ck Framework?

The vulnerability allows attackers to take over a system by escalating access privileges and allowing remote code execution. Most likely, the malware enters networks via phishing attacks. Therefore, the updates should be installed as soon as possible.

Publicly known vulnerability in Microsoft Office 2019/2021

The second, publicly known vulnerability has the number CVE-2022-41043. The vulnerability affects the LTSC versions of Office 2019 and 2021. The vulnerability is also publicly known here. Therefore, these updates should also be installed quickly.

At the same time, the two critical gaps CVE-2022-38048 and CVE-2022-38049 should also be closed in Office. In addition to Office 2019/2021, the Office programs in Microsoft 365 are also affected.

CVE-2022-37987: Vulnerability in Windows allows takeover

Update CVE-2022-37987 should also be closed quickly. The vulnerability allows a server or workstation to be taken over by elevation of privileges. All current Windows versions are also affected here, i.e. Windows 10/11 and Windows Server 2019/2022. At the same time, the update CVE-2022-37989 also plays an important role. This addresses a similar vulnerability and also affects Windows.

Critical vulnerability in Active Directory Certificate Services

The CVE-2022-37976 vulnerability affects the Active Directory Certificate Services on all current Windows servers. Attackers can hijack the services and thereby gain control over the service and its certificates. The update classified as critical should therefore be installed as soon as possible.

READ: Distinguishing White-Hat, Gray-Hat and Black-Hat Hackers

As of 10/30/2020

It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.

Consent to the use of data for advertising purposes

I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.

The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.

If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.

READ: What Is a Security Vulnerability?

right of revocation

I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.