Microsoft’s monthly shipment of patches covers 68 vulnerabilities, 10 of which are rated as critical.
Of the critical vulnerabilities, the SANS Institute said one is under active exploitation: CVE-2022-41128, a remote code execution (RCE) bug in the Windows Scripting Language.
The SANS institute describes it as impacting the JScript9 language.
The attacker would have to persuade a victim to visit a crafted website (probably in some kind of phishing attack): “It would not be hard for an attacker to accomplish this kind of interaction which makes this vulnerability worthy of special attention", the institute’s Patch Wednesday post states.
There are three critical RCEs patched in the Windows point-to-point tunneling protocol (CVE-2022-41039, CVE-2022-41044 and CVE-2022-41088).
There is also an Exchange Server privilege escalation (CVE-2022-41080), two escalation of privilege vulnerabilities in Windows Kerberos (CVE-2022-37966 and CVE-2022-37967), a denial-of-service vulnerability in Windows Hyper-V (CVE-2022-38015), and a code injection vulnerability in the Azure command line interface (CVE-2022-39327).
In addition to the Windows scripting vulnerability, three other patches were for bugs under exploitation, but none of them reached a critical rating.
They are: a privilege escalation in the Windows CNG key isolation service (CVE-2022-41125); a privilege escalation in the print spooler (CVE-2022-41073); and a Windows Mark of the Web bug (CVE-2022-41091).