microsoft released its August 2022 Patch Tuesday to fix 121 security flaws that were found in its products, which include things like Exchange Server as well as classic Windows and Office.

of Fixed 121 security bugs, 17 marked critical, 102 important, 1 as medium and 1 as low risk. Of all of them, only two were publicly known at the time of the patch release. It’s important to note that Microsoft Edge, the Chromium-based web browser, is in a different league and had a separate 25 bug fixes between the end of July and the end of last week.

The Redmond giant stood out from all the patchwork a vulnerability that opened the door to remote code execution via the Microsoft Resource and Performance Monitor (MSDT), a Windows tool which generates a report on the status of local hardware resources, system response time, and local computer processes, along with system information and configuration data. Exploitation of this vulnerability required the user to open a file specially created for this purpose, which is why techniques such as phishing and scams are introduced by downloading a file hosted on a malicious website or via email.

The remote code execution found in MSDT, identified as CVE-2022-34713, is not the only vulnerability found in the tool, as Microsoft has patched another of the same type identified as CVE-2022-35743.

We continue with remote execution and find fixes for this type of vulnerability applied to Windows Point-to-Point Protocol (PPP), Windows Secure Sockets Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Office, and the Hyper-V hypervisor. in the Windows operating system.

Another type of vulnerability with protagonism is privilege escalation. Three such vulnerabilities were found in Exchange Server (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516) which, when exploited, could be used to read specific email messages and download the attached files they contained. On the other hand, a publicly known security flaw (CVE-2022-30134) was fixed in the same component, opening the door to implement the same.

Patch Tuesday is responsible for fixing dozens of security bugs that consist of permission escalations, 31 of which were found in Azure Site Recovery. This is in addition to what the company did a month ago when it fixed thirty similar bugs in the Business Continuity Service, five in Storage Spaces Direct, three in the Windows kernel itself and two in the Print Spooler module.

Publishing these types of fixes to fix a large number of vulnerabilities in batches is common for software solutions that reach a certain size. They also exist, though perhaps published in different formats and with a different cadence, for Linux distributions, Android, Adobe solutions, Intel products, etc.