"Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched"
Microsoft addressed a critical security vulnerability in its Azure cloud service in its October Patch Tuesday update, which earned a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale. The company also patched two "important" zero-day bugs, one of which is actively being exploited in the wild. There may be a third issue, in SharePoint, that is also actively being exploited. However, Microsoft did not issue fixes for the two unpatched Exchange Server zero-day bugs discovered in late September. In total, Microsoft released patches for 85 CVEs in October, including 15 critical bugs. The 10-out-of-10 bug (CVE-2022-37968) is an Elevation of Privilege (EoP) and Remote Code Execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters. It could also impact Azure Stack Edge devices. Although cyberattackers would need to know the randomly generated Domain Name System (DNS) endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a large payoff. They can elevate their privileges to cluster admin and potentially gain control of the Kubernetes cluster. This article continues to discuss the vulnerabilities recently patched by Microsoft.