Security News > 2022 > November > November 2022 Patch Tuesday forecast: Wrapping up loose ends?
Microsoft turned around and released a series of non-security updates that fixed some discovered connections issues - forcing many to conduct another unplanned patch cycle.
The initial concern was that CVE-2022-3602 could lead to another Heartbleed situation which did result in widespread exploitation in 2014 of CVE-2014-0160 in OpenSSL. The good news is these recent CVEs are much harder to exploit, but you should update to the latest version of OpenSSL in your environment during your next patch cycle to protect yourself from the sure-to-come attacks.
As with all the Microsoft updates, we'll be getting these come next week's Patch Tuesday if you haven't had a chance to update and you do need them.
Despite October Patch Tuesday and several out-of-band releases throughout the month, we've not seen an update yet.
November 2022 Patch Tuesday forecast As I anticipated last month, the ESU updates are continuing to get a lot of attention with 40+ CVEs addressed as their EOL approaches.
It will be nice if Microsoft provides us with some updates this month that wrap up a lot of the loose ends I mentioned, and we can move into the end-of-year holidays with secure, stable systems and peace of mind.
News URL
https://www.helpnetsecurity.com/2022/11/04/november-2022-patch-tuesday-forecast/
Related news
- March 2024 Patch Tuesday forecast: A popular framework updated (source)
- Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- March Patch Tuesday sees Hyper-V join the guest-host escape club (source)
- April 2024 Patch Tuesday forecast: New and old from Microsoft (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-01 | CVE-2022-3602 | Out-of-bounds Write vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
| 2014-04-07 | CVE-2014-0160 | Out-of-bounds Read vulnerability in multiple products The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | 7.5 |