No computer system is inviolable. Week after week, this tune comes back to us through the discovery of security vulnerabilities, whether on our smartphones, our web browsers or even our servers. Today, it’s Microsoft’s turn to urgently patch a critical bug.
A flaw already used
During its monthly update in September, the Windows publisher deployed a package of corrections for all its operating systems, including one that plugs a zero-day flaw. This qualification at Microsoft means that a flaw has been publicly disclosed, may have been used by malicious hackers, and has no immediately available fixes. This is the case of the CVE-2022-37969 flaw which allows crooks to gain administrator privileges on a machine.
To be exact, it was the case, since Microsoft has just released a patch. The flaw concerns the Windows event logging mechanism, which allowed executing code with the highest level of privilege. “Attacks of this nature are often associated with a technique of social engineering, such as convincing someone to open a file or click on a link. Done, additional code runs with elevated privileges to take control of a system”details a cybersecurity specialist at Zero-Day Initiative.
Even Windows 7 has been patched
The flaw is critical enough for Microsoft to deploy its patch on Windows 7, an operating system that has been officially retired since 2020. Microsoft has provided few details on the nature of the flaw, probably not to encourage malicious actors to embark on large hacking campaigns. The problem seems serious since even US defense officials are ordered to update their machines as soon as possible.
Other security vulnerabilities, including one impacting the ARM version of Windows 11, were also patched with the September update. The patches are currently deployed: whether you are on Windows 7, 8, 10 or 11, remember to update your OS quickly.