Patch Tuesday September 2022: Spectre-BHB on ARM but fewer total fixes

September’s Microsoft Patch Tuesday release brings fewer total fixes than previous months—just 64, with six marked as Critical and the rest as Important. That should put applying all Microsoft patches released this month, including cumulative updates, comfortably within established patching windows. The only vulnerability under active exploitation is an elevation of privilege, CVE-2022-37969, which could allow an attacker to run as SYSTEM. That should put it toward the top of any prioritization lists. 

Microsoft Vulnerabilities 

The lower number of total Microsoft fixes released, with no standout celebrity vulnerabilities, should take the pressure off teams responsible for applying patches this month. So, you should perhaps consider using this month’s hopefully lower patching workload to audit your environments and make sure nothing has fallen off the radar and has not been getting appropriate updates. 

Also, we have a Windows 11 for ARM64-based systems receiving a fix for CVE-2022-23960. Referred to as Spectre-BHB this is a cache speculation vulnerability affecting ARM CPUs. If the Spectre name is familiar it’s because this is similar to Spectre from 2018.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Más información

Microsoft Patch Tuesday Vulnerability Prioritization

There were only Critical and Important updates released for Patch Tuesday this month so they should be in your respective ‘approved, awaiting install’ list. The only zero-day for the month, CVE-2022-37969 Windows Common Log File System Driver, is an elevation of privilege vulnerability that can allow an attacker SYSTEM privileges. The likelihood of exploitation though is a little muted as it requires an attacker to already have a foothold on a Windows endpoint. However, it should still be on the top of your list. 

The six ‘Exploitation More Likely’ vulnerabilities listed below should also get some level of prioritization, even though some of them are only marked as Important. Of minor note are two Windows Common Log File System Driver elevation of privilege vulnerabilities, the aforementioned CVE-2022-37969 that is under active exploitation and CVE-2022-35803, which is marked as ‘Exploitation More Likely’, should both be addressed.

Cumulative Updates

The cumulative updates were released for current builds of Windows 10 with KB5017308, Windows 10 version 1809 and Windows Server 2019 with KB5017315, and KB5017328 for Windows 11. Containing the usual rollup of fixes from previous months and including Servicing Stack Updates in the CU, these should be these easy to rollout, with the exception of KB5017328. If you have out-of-date systems needing this CU you may need to apply KB5005112 before installing.

Known Complications of Note

There are no major complications being reported as of print. 

Other Vendors

Apple released its third zero-day fix in the past two months on September 12^th, 2022. You can read more on CVE-2022-32917 here. It appears to be under active exploitation according to Apple, with recommendations being immediate upgrade to iOS 15.7 and iPadOS 15.7.

Summary

As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and, Exploitation More Likely vulnerabilities in your Patch Management routines. 

Looking for more information on Patch Management? Check out this section on our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd