Microsoft Prepares Version 98 Updates for Patch Roundup

Microsoft published updates on Tuesday for 98 vulnerabilities affecting nine different Microsoft product groups. This comprises 11 Windows and SharePoint problems of critical severity.

FREMONT, CA:Microsoft released patches for 98 vulnerabilities in nine Microsoft product families. This includes 11 critical severity issues impacting SharePoint and Windows. The majority of CVEs affect Windows, including the operating system, which accounts for 11 CVEs. It is followed by 3D Builder, a less-common patch target, with 14 important-severity RCE issues. Office and exchange pick up six and five patches for the rest where SharePoint receives three fixes, and Azure, Microsoft’s Malware Protection Engine.

In addition, Microsoft announced on a previously issued patch dealing with a moderate-severity RCE sandbox escape affecting the Chromium-based Edge browser, as is customary with patch releases, that this issue is not considered among the 98 and needs no action as part of the release itself.

Although there are a significant number of patches, the 98 issues addressed have flown under the radar for the most part. Just one issue tackled this month has been discovered to be under exploitation, and even then there appears to be no open code addressing this ALPC (advanced local procedure call) bug.

Microsoft's severity ratings need more explanation in this scenario. Five of this month’s Windows patches garnered a critical severity 9.8 CVAA (Common Vulnerability Scoring System) base score, a consideration for many administrators to prioritise their task lists. Four of these five patches touch Windows Layer 2 Tunneling Protocol, and all five involve remote code execution issues and require neither user interaction nor privileged access to exploit. L2TP is also the core of two additional patches in this month’s set, and users of Microsoft's VPN services are encouraged to regard those L2TP patches seriously.

The Patch Tuesday activity for Windows has come to its final day, as the end of extended security update support brings the long life of that version of the operating system to a close. Mainstream support for Windows 7 ended in 2020 and the end of ESU indicates that even crucial security updates will fail to be regularly issued. Support is concluding for Windows 7, 8.1, and RT, which were not granted an ESU of their own.

Microsoft relayed information on 15 issues addressed recently, including patches for Adobe Acrobat and Reader for Windows and macOS, the first Reader patches released since October 2021. All 15 affect Reader and Acrobat versions and none of them is known to be under active exploitation. The specifics of the vulnerabilities do, however, vary, with four out-of-bounds reads, two out-of-bounds writes, and a combination of violations of secure design principles among the issues addressed. Moreover, Adobe released patches for Dimension, InDesign, and InCopy.