Security News > 2022 > November > November 2022 Patch Tuesday forecast: Wrapping up loose ends?
Microsoft turned around and released a series of non-security updates that fixed some discovered connections issues - forcing many to conduct another unplanned patch cycle.
The initial concern was that CVE-2022-3602 could lead to another Heartbleed situation which did result in widespread exploitation in 2014 of CVE-2014-0160 in OpenSSL. The good news is these recent CVEs are much harder to exploit, but you should update to the latest version of OpenSSL in your environment during your next patch cycle to protect yourself from the sure-to-come attacks.
As with all the Microsoft updates, we'll be getting these come next week's Patch Tuesday if you haven't had a chance to update and you do need them.
Despite October Patch Tuesday and several out-of-band releases throughout the month, we've not seen an update yet.
November 2022 Patch Tuesday forecast As I anticipated last month, the ESU updates are continuing to get a lot of attention with 40+ CVEs addressed as their EOL approaches.
It will be nice if Microsoft provides us with some updates this month that wrap up a lot of the loose ends I mentioned, and we can move into the end-of-year holidays with secure, stable systems and peace of mind.
News URL
https://www.helpnetsecurity.com/2022/11/04/november-2022-patch-tuesday-forecast/
Related news
- October 2024 Patch Tuesday forecast: Recall can be recalled (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Patch Tuesday: Internet Explorer Vulnerabilities Still Pose a Problem (source)
- November 2024 Patch Tuesday forecast: New servers arrive early (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-01 | CVE-2022-3602 | Out-of-bounds Write vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
| 2014-04-07 | CVE-2014-0160 | Out-of-bounds Read vulnerability in multiple products The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | 7.5 |