Microsoft Releases Information on 100+ Vulnerabilities

In its Patch release on Tuesday August 10, 2022, Microsoft provided information on more than 120 vulnerabilities, 17 of which are “critical” on the Common Vulnerability Scoring System (CVSS) scale. Two of these critical vulnerabilities are categorized as “zero-day.” 

Zero-day vulnerabilities

CVE-2022-34713

This vulnerability (commonly known as “Dogwalk”), a 7.8 on the CVSS scale, is a remote code execution vulnerability. Similar to vulnerability CVE-2022-30190, this exploit is found in the Microsoft Windows Support Diagnostic Tool (MSDT). Exploitation of this vulnerability has been detected. 

Exploitation of this vulnerability requires interaction from users. In this case, the attacker employs methods of social engineering to convince a user to open a specially crafted file, either through email or a website. If the user opens the file, attackers can remotely execute a local attack on the machine to compromise the device. 

Microsoft recommends pushing updates and immediate patching to mitigate this vulnerability.

CVE-2022-30134

This vulnerability, a 7.6 on the CVSS scale, is a remotely exploitable flaw with Microsoft Exchange that can be utilized by attackers with no help from users to read targeted email messages. Exploitation of this vulnerability has not been detected. 

Organizations should work with their IT teams to enable Extended Protection to prevent attacks of this nature. Microsoft recommends reading the following for more information:

• Exchange Server Support for Windows Extended Protection
• Released: August 2022 Exchange Server Security Updates

Our guidance

In addition to the remediation steps encouraged by Microsoft, we recommend implementing a refresher to remind employees of the danger of phishing attempts, as well as precautions that can be taken to avoid falling victim to social engineering scams, such as those associated with CVE-2022-34713:

• Never trust the “From” field in an email
• If on a computer, hover over links with the cursor before clicking them to help gauge if the domain is legitimate
• Contact the IT department when in doubt of unfamiliar and suspicious links
• Create bookmarks for frequently visited websites to avoid visiting fake websites
• Do not download or open attachments from an unsolicited source
• Be cautious of alarmist email subject lines (e.g., “urgent”, “transfer”, “request”, etc.)
• Validate email requests with callbacks to a contact you have on file, or visit a legitimate website to find a callback number

How we help

ACA provides services to help organizations tackle threats such as phishing:

• Phishing tests that deploy a targeted email campaign to test employees’ ability to identify and handle phishing threats
• Regulatory and cyber risk alerts and insights to stay current with cybersecurity, privacy, and regulatory trends and emerging threats

Learn more about our solutions here.

For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us.