"Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs"

In a September Patch Tuesday update, Microsoft addressed a pair of zero-day vulnerabilities, including a Local Privilege-Escalation (LPE) flaw that is being actively exploited in the wild. Furthermore, Microsoft revealed three separate critical vulnerabilities that could be exploited for worming attacks. The patches are part of Microsoft's cache of 64 fixed vulnerabilities this week, the fewest for any month this year (and nearly a 50 percent decrease from August). The disclosed bugs impact Microsoft Windows and Windows Components, Azure and Azure Arc, .NET, Visual Studio, Linux Kernel, and more. The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, a general-purpose logging subsystem first introduced in Windows 2003 R2 and included in all subsequent versions. An exploit for the bug lets an attacker with limited system access gain SYSTEM privileges with a single click. There are no other technical details available, but because the vulnerability is simple and requires no user interaction, an exploit will most likely soon be in the hands of both white and black hat hackers. This article continues to discuss some of the vulnerabilities addressed in Microsoft's September Patch Tuesday update.

Dark Reading reports "Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs"