Welcome to our summary of this month’s Patch Tuesday (October 2022). We have tabulated the vulnerabilities that the latest patches from Microsoft and Adobe fix, so that you can easily export them for use in your vulnerability management program.

84 vulnerabilities have been fixed in Microsoft’s August 2022 update.

13 were marked as Critical vulnerabilities as they allow Elevation of Privilege (EoP), Remote Code Execution (RCE), and spoofing.

This release also fixes two zero day vulnerabilities, with one being actively exploited in recent attacks (CVE-2022-41033*, CVE-2022-41043). The Rootshell Platform has already alerted users to these active exploits.

With this update, Microsoft has fixed many flaws including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, Spoofing, Microsoft Edge (Chromium-based), and Microsoft Edge (Chromium-based) / Spoofing.

[wpdatatable id=”5″ /][wpdatatable id=”0″ /]

Adobe’s October update addresses 29 CVEs in Adobe Acrobat and Reader, ColdFusion, Commerce and Magento, and Adobe Dimension.

The ColdFusion vulnerability is the most critical, with multiple CVSS 9.8 code execution bugs being addressed. A fix for a bug in the Admin Component service is also included. The service uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system.

Commerce and Magento updates address only one issue, but it’s a CVSS 10. Users of either of these products are strongly advised to test and deploy this quickly to fix the stored cross-site scripting (XSS) bug.

Acrobat and Reader have six vulnerabilities fixed in this patch. The most severe being stack-based buffer overflows that could lead to code execution. Threat actors would need to trick someone into opening a specially crafted PDF to get arbitrary code execution.

The fix for Dimension corrects nine bugs, eight of which are rated critical. Most of these are file parsing bugs and would require user interaction to exploit.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

[wpdatatable id=”6″ /]