VERT Threat Alert: September 2022 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s September 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1021 on Wednesday, September 14th.

In-The-Wild & Disclosed CVEs

CVE-2022-23960

The first disclosed vulnerability this month is Spectre-BHB that is discussed in great detail on arm Developer. The Microsoft update for this vulnerability only applies to Windows 11 for ARM64-based systems. It is likely that impacted systems are not widely deployed across most organizations.

CVE-2022-37969

A vulnerability in the Windows Common Log File System (CLFS) Driver allows for SYSTEM level code execution when successfully exploited on a system. This local vulnerability has already seen exploitation in-the-wild and was jointly reported by a number of organizations. The update for this vulnerability should be applied as soon as possible due to the active exploitation that is ongoing.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.

• Traditional Software
• Mobile Software
• Cloud or Cloud Adjacent
• Vulnerabilities that are being exploited or that have been disclosed are listed in red