Patch Tuesday October 2022: 85 patches released by Microsoft

It’s almost the end of 2022 and we’ve already reached October, which means the temperatures are slowly but surely starting to drop, so we can get our winter coats out.

Furthermore, it’s the second Tuesday of the month, which means that Windows users are looking towards Microsoft in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

For October, Microsoft released 85 new patches, which is a lot more than some people were expecting in the middle of autumn.

These software updates address CVEs in:

• Microsoft Windows and Windows Components
• Azure, Azure Arc, and Azure DevOps
• Microsoft Edge (Chromium-based)
• Office and Office Components
• Visual Studio Code
• Active Directory Domain Services and Active Directory Certificate Services
• Nu Get Client
• Hyper-V
• Windows Resilient File System (ReFS)

The month of October comes with 85 new security updates

It’s pretty much safe to say that this wasn’t either the busiest or the lightest month for Redmond-based security experts and developers.

You might like to know that, out of the 85 new CVEs released, 15 are rated as Critical, 69 are rated Important, and only one is rated Moderate in severity.

Looking back, we can say that this volume is somewhat in line with what we’ve seen in previous October releases, however, it sets Microsoft on track to exceed its 2021 total.

And, if that were to happen, 2022 would the second busiest year for Microsoft CVEs, so keep that in mind if you want to compare it to other periods.

Know that one of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release.

We are going to take a closer look at the patches released in October 2022 and rank them by severity, type, and active exploitation status.

This October 2022 patch release also includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known.

The rest of the info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents, according to experts.

However, the bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud.

Also, the patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system.

That being said, know that the final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.

Furthermore, eight different DoS vulnerabilities were patched this month, the most interesting being the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction.

This update rollout is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based).

Looking forward, the next Patch Tuesday security update rollout will be on the 8th of November, which is a bit sooner than some expected it.

Have you found any other issues after installing this month’s security updates? Share your opinion in the comments section below.