October 2022 Patch Tuesday Updates Fix 85 Windows Vulnerabilities

Microsoft has released yesterday the October 2022 Patch Tuesday updates for all supported versions of Windows. This includes Windows 11 version 22H2, the latest version of the OS that has just started rolling out to more users. 

Overall, Microsoft fixed 85 security flaws in Windows, and there are also 11 fixes for Microsoft Edge vulnerabilities this month. Among the 85 Windows vulnerabilities addressed by Microsoft, 15 of them are rated Critical. The company also warned that there’s one zero-day vulnerability affecting the Windows COM+ event system service that’s already being exploited in the wild.

As pointed out by the Zero Day Initiative, Microsoft has yet to fix two Exchange Server vulnerabilities that have been actively exploited for the past two weeks. Organizations can still protect themselves by disabling remote PowerShell access for non-admin users in their organization. You can learn more details about current mitigations on the Microsoft Security Response Center blog post.

85 vulnerabilities fixed in the October 2022 Patch Tuesday updates

Here are some of the most important fixed vulnerabilities you should be aware of in this month’s Patch Tuesday updates: 

• CVE-2022-41033: This is an Elevation of Privilege vulnerability affecting the Windows COM+ event system service. This is the only security flaw that Microsoft identified as already being exploited in the wild. 
• CVE-2022-41043: This is a Microsoft Office vulnerability that has been publicly disclosed, but it has yet to be exploited. Attackers could leverage it to obtain user tokens and other potentially sensitive information.
• CVE-2022-41038: This critical Remote Code Execution vulnerability in Microsoft SharePoint Server could allow an authenticated attacker with Manage List permissions to execute code remotely on the SharePoint Server.
• CVE-2022-37979: This critical Elevation of Privilege vulnerability in Windows Hyper-V could allow a Hyper-V guest to affect the functionality of the Hyper-V host.
• CVE-2022-37976: This Active Directory Certificate Services Elevation of Privilege Vulnerability could allow attackers to gain domain administrator privileges by using a malicious DCOM client.

You can find the full list of CVEs released by Microsoft with the October 2022 Patch Tuesday updates below:

Quality and experience updates

This month’s Patch Tuesday updates for Windows 11 and Windows 10 bring minor changes to the taskbar. On Windows 11 versions 22H2 and 21H2, the updates bring more dynamic Widgets content to the taskbar: In addition to weather information, users will also see finance and sports updates. 

If you were hoping to see File Explorer tabs arrive on Windows 11 version 22H2 this week, the feature isn’t live yet. It’s already available for Windows Insiders on the Release Preview ring, but it will be available later this month for non-Insiders in an optional preview update. The public rollout will start next month with the November 2022 Patch Tuesday updates, Microsoft explained.

On Windows 11 version 21H2 (the original version of the OS), the build 22000.1098 (KB5018418) fixed an issue that forced users to reinstall apps that didn’t come from the Microsoft Store after an upgrade. There’s also a fix for a rare issue that could lead to a blue screen after changing the display mode when using more than one display. 

Microsoft published the following video highlighting the bug fixes and quality updates for Windows 11 version 21H2 in the build 22000.1098.

For Windows 10 users, the KB5018410 patch for Windows 10 versions 21H2, 21H1, and 20H2 also bring some Taskbar changes. First of all, all taskbar orientations can now display news and interests information. Additionally, it’s now possible to access settings for news and interests on the taskbar by right-clicking it and selecting Taskbar settings. 

There’s still no word about when Windows 10 version 22H2 will start rolling out to the public though. The update is already available for Windows Insiders on the Release Preview ring, but new features (which are still unknown) have been turned off for now.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.