Patch Tuesday October 2022: 85 patches released by Microsoft
8 min. read
Published on
Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more
Key notes
- Check out the entire list of updates released via this month's Patch Tuesday event.
- October 2022 comes with a whopping 64 new updates for various Windows CVEs.
- Out of all the CVEs, 15 are rated Critical, 69 are Important, and one is Moderate.
It’s almost the end of 2022 and we’ve already reached October, which means the temperatures are slowly but surely starting to drop, so we can get our winter coats out.
Furthermore, it’s the second Tuesday of the month, which means that Windows users are looking towards Microsoft in hopes that some of the flaws they’ve been struggling with will finally get fixed.
We’ve already provided the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.
For October, Microsoft released 85 new patches, which is a lot more than some people were expecting in the middle of autumn.
These software updates address CVEs in:
- Microsoft Windows and Windows Components
- Azure, Azure Arc, and Azure DevOps
- Microsoft Edge (Chromium-based)
- Office and Office Components
- Visual Studio Code
- Active Directory Domain Services and Active Directory Certificate Services
- Nu Get Client
- Hyper-V
- Windows Resilient File System (ReFS)
The month of October comes with 85 new security updates
It’s pretty much safe to say that this wasn’t either the busiest or the lightest month for Redmond-based security experts and developers.
You might like to know that, out of the 85 new CVEs released, 15 are rated as Critical, 69 are rated Important, and only one is rated Moderate in severity.
Looking back, we can say that this volume is somewhat in line with what we’ve seen in previous October releases, however, it sets Microsoft on track to exceed its 2021 total.
And, if that were to happen, 2022 would the second busiest year for Microsoft CVEs, so keep that in mind if you want to compare it to other periods.
Know that one of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release.
We are going to take a closer look at the patches released in October 2022 and rank them by severity, type, and active exploitation status.
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2022-41033 | Windows COM+ Event System Service Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
CVE-2022-41043 | Microsoft Office Information Disclosure Vulnerability | Important | 4 | Yes | No | Info |
CVE-2022-37976 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | EoP |
CVE-2022-37968 | Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability | Critical | 10 | No | No | EoP |
CVE-2022-38049 | Microsoft Office Graphics Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-38048 | Microsoft Office Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-41038 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
CVE-2022-34689 | Windows CryptoAPI Spoofing Vulnerability | Critical | 7.5 | No | No | Spoofing |
CVE-2022-41031 | Microsoft Word Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-37979 | Windows Hyper-V Elevation of Privilege Vulnerability | Critical | 7.8 | No | No | EoP |
CVE-2022-30198 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-24504 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-33634 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-22035 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-38047 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-38000 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-41081 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-38042 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
CVE-2022-38021 | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-38036 | Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-37977 | Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-37983 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38040 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-38001 | Microsoft Office Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
CVE-2022-41036 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-41037 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-38053 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-37982 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-38031 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-37971 | Microsoft Windows Defender Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP |
CVE-2022-41032 | NuGet Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38045 | Server Service Remote Protocol Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
CVE-2022-35829 | Service Fabric Explorer Spoofing Vulnerability | Important | 6.2 | No | No | Spoofing |
CVE-2022-38017 | StorSimple 8000 Series Elevation of Privilege Vulnerability | Important | 6.8 | No | No | EoP |
CVE-2022-41083 | Visual Studio Code Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-41042 | Visual Studio Code Information Disclosure Vulnerability | Important | 7.4 | No | No | Info |
CVE-2022-41034 | Visual Studio Code Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-38046 | Web Account Manager Information Disclosure Vulnerability | Important | 6.2 | No | No | Info |
CVE-2022-38050 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37978 | Windows Active Directory Certificate Services Security Feature Bypass | Important | 7.5 | No | No | SFB |
CVE-2022-38029 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-38044 | Windows CD-ROM File System Driver Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-37989 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37987 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37980 | Windows DHCP Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38026 | Windows DHCP Client Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-38025 | Windows Distributed File System (DFS) Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-37970 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37981 | Windows Event Logging Service Denial of Service Vulnerability | Important | 4.3 | No | No | DoS |
CVE-2022-33635 | Windows GDI+ Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-38051 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37997 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37985 | Windows Graphics Component Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-37975 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37999 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37993 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37994 | Windows Group Policy Preference Client Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37995 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37988 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38037 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38038 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37990 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38039 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37991 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38022 | Windows Kernel Elevation of Privilege Vulnerability | Important | 2.5 | No | No | EoP |
CVE-2022-37996 | Windows Kernel Memory Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-38016 | Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
CVE-2022-37998 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 7.7 | No | No | DoS |
CVE-2022-37973 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 7.7 | No | No | DoS |
CVE-2022-37974 | Windows Mixed Reality Developer Tools Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2022-35770 | Windows NTLM Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
CVE-2022-37965 | Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability | Important | 5.9 | No | No | DoS |
CVE-2022-38032 | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | Important | 5.9 | No | No | SFB |
CVE-2022-38028 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38003 | Windows Resilient File System Elevation of Privilege | Important | 7.8 | No | No | EoP |
CVE-2022-38041 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-38043 | Windows Security Support Provider Interface Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-38033 | Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2022-38027 | Windows Storage Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-33645 | Windows TCP/IP Driver Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-38030 | Windows USB Serial Driver Information Disclosure Vulnerability | Important | 4.3 | No | No | Info |
CVE-2022-37986 | Windows Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-37984 | Windows WLAN Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-38034 | Windows Workstation Service Elevation of Privilege Vulnerability | Important | 4.3 | No | No | EoP |
CVE-2022-41035 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Moderate | 8.3 | No | No | Spoofing |
CVE-2022-3304 | Chromium: CVE-2022-3304 Use after free in CSS | High | N/A | No | No | RCE |
CVE-2022-3307 | Chromium: CVE-2022-3307 Use after free in Media | High | N/A | No | No | RCE |
CVE-2022-3370 | Chromium: CVE-2022-3370 Use after free in Custom Elements | High | N/A | No | No | RCE |
CVE-2022-3373 | Chromium: CVE-2022-3373 Out of bounds write in V8 | High | N/A | No | No | RCE |
CVE-2022-3308 | Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools | Medium | N/A | No | No | SFB |
CVE-2022-3310 | Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs | Medium | N/A | No | No | SFB |
CVE-2022-3311 | Chromium: CVE-2022-3311 Use after free in Import | Medium | N/A | No | No | RCE |
CVE-2022-3313 | Chromium: CVE-2022-3313 Incorrect security UI in Full Screen | Medium | N/A | No | No | SFB |
CVE-2022-3315 | Chromium: CVE-2022-3315 Type confusion in Blink | Medium | N/A | No | No | RCE |
CVE-2022-3316 | Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing | Low | N/A | No | No | Spoofing |
CVE-2022-3317 | Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents | Low | N/A | No | No | Spoofing |
This October 2022 patch release also includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known.
The rest of the info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents, according to experts.
However, the bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud.
Also, the patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system.
That being said, know that the final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.
Furthermore, eight different DoS vulnerabilities were patched this month, the most interesting being the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction.
This update rollout is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based).
Looking forward, the next Patch Tuesday security update rollout will be on the 8th of November, which is a bit sooner than some expected it.
Have you found any other issues after installing this month’s security updates? Share your opinion in the comments section below.