“This month, Microsoft patched CVE-2022-41033, an elevation of privilege vulnerability in the Windows COM+ Event System Service, which enables system event notifications for COM+ components. An authenticated attacker could execute a specially crafted application designed to exploit this vulnerability on a vulnerable system. Successful exploitation would grant an attacker the ability to execute privileges as SYSTEM. Microsoft reports that this vulnerability has been exploited in the wild, though no specific details have been shared about its exploitation. It was reported to Microsoft by an anonymous individual. While elevation of privilege vulnerabilities require an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation of privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%).
“Notably absent from this month’s Patch Tuesday are patches for the pair of zero-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell. We expected Microsoft to issue patches for these flaws soon considering there have been reports of in-the-wild exploitation.” — Satnam Narang, Sr. Staff Research Engineer, Tenable