Update Microsoft products for zero-day vulnerability
This message was sent to U-M IT groups on Friday, September 16, 2022. It is intended for U-M IT staff who are responsible for university computers with Microsoft products installed, and it applies to both UM-owned and personally-owned devices.
Summary
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution of a logged-in user. Microsoft has released patches/updates to address the vulnerabilities.
Three of the vulnerabilities, which allow for remote code execution (RCE) or privilege escalation, are reportedly being exploited and are fixed by the patch:
- Zero-day privilege escalation vulnerability affecting already compromised systems, CVE-2022-37969 (Windows Common Log File System Driver Elevation of Privilege Vulnerability).
- Vulnerability that requires a threat actor to trick a user to visit a website and open a specially crafted file, CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) RCE Vulnerability).
- Vulnerability in which a threat actor could trick a user to open a Microsoft Office document containing a malicious ActiveX control that hosts the browser rendering engine, CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability).
Problem
The zero-day privilege escalation vulnerability impacting the Windows Common Log File System Driver could be used to gain system privileges on an already compromised system. According to Microsoft, "An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.”
Threats
The zero-day privilege escalation vulnerability, CVE-2022-37969 (Windows Common Log File System Driver), and two RCE vulnerabilities (CVE-2021-40444 and CVE-2022-34713) have been reported by Microsoft as currently being exploited in the wild.
Affected Systems
Multiple Microsoft products are affected, including Microsoft Office, Windows, Windows Server, Edge, and more. See the full list at Microsoft: September 2022 Security Updates.
Action Items
- Update affected systems immediately after appropriate testing. Prioritize systems that are accessible from the internet and systems that are sensitive or critical.
- MiWorkspace and MiServer Managed OS machines will update the OS for you pending internal testing. Customers are urged to update MS and third-party apps as soon as possible.
How We Protect U-M
- ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
- IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
MiWorkspace machines will be updated as soon as possible. If you have Microsoft software on your personal computer, it is best to set them to update automatically when you can.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- MS-ISAC Cybersecurity Advisory (Center for Internet Security, 9/13/22)
- Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (Bleeping Computer, 9/13/22)
- Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day (The Hacker News, 9/14/22)
- New Microsoft Windows Zero-Day Attack Confirmed: Update Now (Forbes, 9/14/22)
- Microsoft patches a new zero-day affecting all versions of Windows (Tech Crunch, 9/14/22)