Microsoft on Tuesday released software fixes to address more than 90 security defects affecting products in the Windows ecosystem and warned that one of the vulnerabilities was already being exploited as zero-day in the wild.
The Windows COM+ event system service is affected by the exploited vulnerability, identified as CVE-2022-41033, which has been used in the elevation of privilege attacks, indicating that it was a component of an exploit chain discovered in the wild. Microsoft received an anonymous report of the most recent zero-day.
The latest alert was released less than a month after Microsoft’s security response team rushed to release patches for two Exchange Server flaws that were being exploited by nation-state-level threat actors. These two Exchange Server flaws, CVE-2022-41040 and CVE-2022-21082, are still present.