CVE-2022-41033: 0-day bug in Windows COM+ Event System Service
Microsoft on Tuesday released critical software updates to fix 84 documented security flaws in the Windows ecosystem and warned that unknown attackers are already launching zero-day attacks.
The zero-day, tracked as CVE-2022-41033, is described as an elevated privilege on the system, caused by a flaw in the COM+ Event System Service. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
The software giant did not provide any additional details of the live attacks outside of a notification that the issue has not been publicly disclosed. The company did not provide IOCs (indicators of compromise) to help defenders hunt for signs of compromise.
CVE-2022-41033 (CVSS score: 7.8) was discovered by an ‘Anonymous’ researcher. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” explains Microsoft’s advisory.
CVE-2022-41043, a Microsoft Office Information Disclosure Vulnerability, was made public before the patch was released.
The 84 documented vulnerabilities (counting by CVE) affect a range of OS components, including Microsoft Office, SharePoint, Windows Kernel, Microsoft Defender, Microsoft WDAC OLE DB, Windows Azure, and Windows Windows Hyper-V…
According to Microsoft’s documentation, 13 of the 84 vulnerabilities carry the highest “critical” severity rating, 71 as important and 1 as moderate. The number of bugs in each vulnerability category is listed below:
- 39 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 20 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 8 Denial of Service Vulnerabilities
- 4 Spoofing Vulnerabilities
We recommend that Windows users install the Microsoft October Patch Tuesday as soon as possible.
