Microsoft fixes 64 CVEs through the September 2022 Patch Tuesday rollout
7 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Key notes
- Check out the entire list of updates released via this month's Patch Tuesday event.
- September 2022 comes with a whopping 64 new updates for various Windows CVEs.
- Out of all the CVEs, know that 5 are rated Critical and 57 are rated Important.
We’ve already reached September and the temperatures are slowly but surely starting to drop, so we can turn off the fans and air conditioning units and simply relax.
It’s the second Tuesday of the month, which means that Windows users are looking towards Microsoft in hopes that some of the flaws they’ve been struggling with will finally get fixed.
We’ve already provided the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.
For September, Microsoft released 64 new patches, which is a lot more than some people were expecting right as the summer ended.
These software updates address CVEs in:
- Microsoft Windows and Windows Components
- Azure and Azure Arc
- .NET and Visual Studio and .NET Framework
- Microsoft Edge (Chromium-based)
- Office and Office Components
- Windows Defender
- Linux Kernel
September comes with 64 new security updates
We consider that it’s safe to say that this wasn’t either the busiest or the lightest month for Redmond-based security experts.
You might like to know that, out of the 64 new CVEs released, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity.
Out of all these vulnerabilities, one CVE is listed as publicly known and under active attack at the time of this Patch Tuesday release.
The one under active attack, meaning the bug in the Common Log File System (CLFS), allows an authenticated attacker to execute code with elevated privileges.
Keep in mind that this type of bug is often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link.
And, once they take the bait, additional code executes with elevated privileges to take over a system, and it’s basically checkmate.
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2022-37969 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | Yes | Yes | EoP |
| CVE-2022-23960 * | Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability | Important | N/A | Yes | No | Info |
| CVE-2022-34700 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2022-35805 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
| CVE-2022-34721 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2022-34722 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2022-34718 | Windows TCP/IP Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2022-38013 | .NET Core and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2022-26929 | .NET Framework Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-38019 | AV1 Video Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-38007 | Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-37954 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-35838 | HTTP V3 Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2022-35828 | Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-34726 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-34727 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-34730 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-34732 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-34734 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-37963 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-38010 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-34731 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-34733 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-35834 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-35835 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-35836 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-35840 | Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-37962 | Microsoft PowerPoint Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-35823 | Microsoft SharePoint Remote Code Execution Vulnerability | Important | 8.1 | No | No | RCE |
| CVE-2022-37961 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-38008 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-38009 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-37959 | Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability | Important | 6.5 | No | No | SFB |
| CVE-2022-38011 | Raw Image Extension Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
| CVE-2022-35830 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important | 8.1 | No | No | RCE |
| CVE-2022-37958 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2022-38020 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2022-34725 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2022-35803 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-30170 | Windows Credential Roaming Service Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
| CVE-2022-34719 | Windows Distributed File System (DFS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-34724 | Windows DNS Server Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2022-34723 | Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2022-35841 | Windows Enterprise App Management Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2022-35832 | Windows Event Tracing Denial of Service Vulnerability | Important | 5.5 | No | No | DoS |
| CVE-2022-38004 | Windows Fax Service Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-34729 | Windows GDI Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-38006 | Windows Graphics Component Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2022-34728 | Windows Graphics Component Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2022-35837 | Windows Graphics Component Information Disclosure Vulnerability | Important | 5 | No | No | Info |
| CVE-2022-37955 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-34720 | Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2022-33647 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
| CVE-2022-33679 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
| CVE-2022-37956 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-37957 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-37964 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-30200 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2022-26928 | Windows Photo Import API Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2022-38005 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2022-35831 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2022-30196 | Windows Secure Channel Denial of Service Vulnerability | Important | 8.2 | No | No | DoS |
| CVE-2022-35833 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2022-38012 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Low | 7.7 | No | No | RCE |
| CVE-2022-3038 | Chromium: CVE-2022-3038 Use after free in Network Service | Critical | N/A | No | No | RCE |
| CVE-2022-3075 | Chromium: CVE-2022-3075 Insufficient data validation in Mojo | High | N/A | No | Yes | RCE |
| CVE-2022-3039 | Chromium: CVE-2022-3039 Use after free in WebSQL | High | N/A | No | No | RCE |
| CVE-2022-3040 | Chromium: CVE-2022-3040 Use after free in Layout | High | N/A | No | No | RCE |
| CVE-2022-3041 | Chromium: CVE-2022-3041 Use after free in WebSQL | High | N/A | No | No | RCE |
| CVE-2022-3044 | Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation | High | N/A | No | No | N/A |
| CVE-2022-3045 | Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8 | High | N/A | No | No | RCE |
| CVE-2022-3046 | Chromium: CVE-2022-3046 Use after free in Browser Tag | High | N/A | No | No | RCE |
| CVE-2022-3047 | Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API | Medium | N/A | No | No | SFB |
| CVE-2022-3053 | Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock | Medium | N/A | No | No | N/A |
| CVE-2022-3054 | Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools | Medium | N/A | No | No | SFB |
| CVE-2022-3055 | Chromium: CVE-2022-3055 Use after free in Passwords | Medium | N/A | No | No | RCE |
| CVE-2022-3056 | Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy | Low | N/A | No | No | SFB |
| CVE-2022-3057 | Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox | Low | N/A | No | No | EoP |
| CVE-2022-3058 | Chromium: CVE-2022-3058 Use after free in Sign-In Flow | Low | N/A | No | No | RCE |
Microsoft mentioned that out of the Critical-rated updates, there are two for Windows Internet Key Exchange (IKE) Protocol Extensions that could also be classified as wormable.
In both cases, only users that are working on systems running IPSec are affected, so make sure you remember that.
Furthermore, we are also looking at two Critical-rated vulnerabilities in Dynamics 365 that could allow an authenticated user to perform SQL injection attacks and execute commands as db_owner within their Dynamics 356 database.
Let’s move on and look at the seven different DoS vulnerabilities patched this month, including the DNS bug previously mentioned above.
The tech giant said that two bugs in the secure channel would allow an attacker to crash a TLS by sending specially crafted packets.
Let’s not forget about the DoS in IKE, but unlike the code execution bugs listed above, no IPSec requirements are listed here.
The September 2022 rollout includes a fix for a lone security feature bypass in Network Device Enrollment (NDES) Service, where an attacker could bypass the service’s cryptographic service provider.
Looking forward, the next Patch Tuesday security update rollout will be on the 11th of October, which is a bit sooner than some expected it.
Have you found any other issues after installing this month’s security updates? Share your opinion in the comments section below.
