Microsoft patches a new zero-day affecting all versions of Windows

Microsoft has released security fixes for a zero-day vulnerability affecting all supported versions of Windows that has been exploited in real-world attacks.

The zero-day bug, tracked as CVE-2022-37969, is described as an elevation of privilege flaw in the Windows Common Log File System Driver, a subsystem used for data and event logging. The bug allows an attacker to obtain the highest level of access, known as system privileges, to a vulnerable device.

Microsoft says users running Windows 11 and earlier, and Windows Server 2008 and Windows Server 2012, are affected. Windows 7 will also receive security patches, despite falling out of support in 2020.

Microsoft said the flaw requires that an attacker already has access to a compromised device, or the ability to run code on the target system.

“Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” said Dustin Childs, head of threat intelligence at the Zero Day Initiative (ZDI). “Once they do, additional code executes with elevated privileges to take over a system.”

Microsoft credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild.

Dhanesh Kizhakkinan, senior principal vulnerability engineer at Mandiant, told TechCrunch that the company discovered the bug "during a proactive Offensive Task Force exploit hunting mission," adding that the exploit appears to be standalone and is not part of an attack chain.

Microsoft did not share details about the attacks exploiting this vulnerability and did not respond to our request for comment.

The fixes arrived as part of Microsoft’s regularly scheduled monthly release of security fixes, dubbed Patch Tuesday, which includes a total of 63 vulnerabilities in various Microsoft products, including Microsoft Edge, Office and Windows Defender.

Microsoft also released patches for a second zero-day flaw, tracked as CVE-2022-23960, which it describes as a cache speculation vulnerability known as “Spectre-BHB” affecting Windows 11 for ARM-based systems. Spectre-BHB is a variant of the Spectre v2 vulnerability, which can allow attackers to steal data from memory.

Earlier this week, Apple moved to patch a zero-day under active attack in iOS and macOS.