Patch Tuesday August 2022 – Microsoft Fixes 21 Vulnerabilities, Including a Zero-Day Bug
Zero-Day Exploited Allowed Remote Code Execution without Authentication
As part of the August’s Patch Tuesday, Microsoft has released fixes for 21 common vulnerabilities. The list also includes a fix for a zero-day bug that was first identified in December 2020. Per Microsoft’s evaluation, the vulnerability required no authentication and could have been remotely exploited.
Patch Tuesday August Roundup
Not much to report on the patching front; per its usual monthly routine, Microsoft delivered several improvements and fixes to the Chromium-base browser engine. To name a few, we have fixes for issues such as Heap buffer overflow in pdf, Use-after-free in Offline, Insufficient validation of untrusted input in Internals, Use-after-free in Extensions API, and, of course, Side-channel information leakage in Keyboard input.
This month’s highlight is definitely CVE-2021-42276 aka the Chakra Scripting Engine Memory Corruption Vulnerability. Microsoft’s zero-day hit has quite an interesting history; it was discovered in 2020, cataloged in 2021, and received a fix in August 2022. The issue affected both Edge and web browsers that used the ChakraCore engine.
CVE-2021-42276 was traced back to a defective Chakra Scripting Engine memory buffer. If successfully exploited, the issue would’ve allowed a threat actor to read and write information to any memory location. Why is the Chakra Scripting Engine Memory Corruption vulnerability considered a zero-day threat? Per Microsoft’s evaluation, the vulnerability could have been exploited regardless of the authentication level, meaning that the threat actor doesn’t require elevated privileges in order to leverage the issue. CVE-2021-42776 was labeled as fixed. The full list of fixes can be found below.
| Release Date | CVE Number | CVE Title |
|---|---|---|
| Aug 5, 2022 | CVE-2022-35796 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| Aug 5, 2022 | CVE-2022-33649 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Aug 5, 2022 | CVE-2022-33636 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
| Aug 5, 2022 | CVE-2022-2624 | Chromium: CVE-2022-2624 Heap buffer overflow in PDF |
| Aug 5, 2022 | CVE-2022-2623 | Chromium: CVE-2022-2623 Use after free in Offline |
| Aug 5, 2022 | CVE-2022-2622 | Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing |
| Aug 5, 2022 | CVE-2022-2621 | Chromium: CVE-2022-2621 Use after free in Extensions |
| Aug 5, 2022 | CVE-2022-2619 | Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings |
| Aug 5, 2022 | CVE-2022-2618 | Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals |
| Aug 5, 2022 | CVE-2022-2617 | Chromium: CVE-2022-2617 Use after free in Extensions API |
| Aug 5, 2022 | CVE-2022-2616 | Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API |
| Aug 5, 2022 | CVE-2022-2615 | Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies |
| Aug 5, 2022 | CVE-2022-2614 | Chromium: CVE-2022-2614 Use after free in Sign-In Flow |
| Aug 5, 2022 | CVE-2022-2612 | Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input |
| Aug 5, 2022 | CVE-2022-2611 | Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API |
| Aug 5, 2022 | CVE-2022-2610 | Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch |
| Aug 5, 2022 | CVE-2022-2606 | Chromium: CVE-2022-2606 Use after free in Managed devices API |
| Aug 5, 2022 | CVE-2022-2605 | Chromium: CVE-2022-2605 Out of bounds read in Dawn |
| Aug 5, 2022 | CVE-2022-2604 | Chromium: CVE-2022-2604 Use after free in Safe Browsing |
| Aug 5, 2022 | CVE-2022-2603 | Chromium: CVE-2022-2603 Use after free in Omnibox |
| Nov 9, 2021 | CVE-2021-42279 | Chakra Scripting Engine Memory Corruption Vulnerability |
Additional Cybersecurity Advice
Well, this concludes the August edition of Patch Tuesday. Hope it was to your taste, and, before I scoot, here is a couple of cybersec advice.
- Automated patch deployment. If you’re planning on staying ahead of your attackers, automatic patching & patch management is the solution. Heimdal™ Security’s Patch & Asset Management will ensure that all your apps are up to speed, regardless of OS or type of improvement-carrying package you’re going to deploy.
- Phishing. Please do yourself a favor and stay away from suspicious emails.
- Prioritize security updates. While scribbling your patch deployment battle plan, do make sure that you prioritize security-related updates or patches over quality updates.
Additional resources:
- Patch Tuesday, July 2022.
- SECURITY ALERT: Zero-Day Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Enables Remote Code Execution
- What Is an Attack Surface in Cybersecurity?
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.