Today’s VERT Alert addresses Microsoft’s September 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1021 on Wednesday, September 14th.

In-The-Wild & Disclosed CVEs

CVE-2022-23960

The first disclosed vulnerability this month is Spectre-BHB that is discussed in great detail on arm Developer. The Microsoft update for this vulnerability only applies to Windows 11 for ARM64-based systems. It is likely that impacted systems are not widely deployed across most organizations.

CVE-2022-37969

A vulnerability in the Windows Common Log File System (CLFS) Driver allows for SYSTEM level code execution when successfully exploited on a system. This local vulnerability has already seen exploitation in-the-wild and was jointly reported by a number of organizations. The update for this vulnerability should be applied as soon as possible due to the active exploitation that is ongoing.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed are listed in red
Tag CVE Count CVEs
Windows IKE Extension 3 CVE-2022-34720, CVE-2022-34721, CVE-2022-34722
HTTP.sys 1 CVE-2022-35838
Windows Group Policy 1 CVE-2022-37955
Windows DPAPI (Data Protection Application Programming Interface) 1 CVE-2022-34723

Windows Enterprise App Management

1 CVE-2022-35841
Windows Common Log File System Driver 2 CVE-2022-35803, CVE-2022-37969
Cache Speculation 1 CVE-2022-23960
Microsoft Office SharePoint 4 CVE-2022-35823, CVE-2022-38008, CVE-2022-38009, CVE-2022-37961
Azure Arc 1 CVE-2022-38007
Visual Studio Code 1 CVE-2022-38020
Windows Photo Import API 1 CVE-2022-26928
Microsoft Office Visio 2 CVE-2022-38010, CVE-2022-37963
Microsoft Graphics Component 5 CVE-2022-35837, CVE-2022-34728, CVE-2022-34729, CVE-2022-37954, CVE-2022-38006
SPNEGO Extended Negotiation 1 CVE-2022-37958
Windows Event Tracing 1 CVE-2022-35832
Windows Kernel (Read more...)