Microsoft’s latest round of monthly security updates has been released with fixes for 68 vulnerabilities in its software portfolio, including patches for six days of no active exploitation.
12 of the issues are rated Important, 2 are rated High and 55 are rated Important in severity. This also includes weaknesses that were fixed by OpenSSL last week.
Also addressed separately in Microsoft Edge earlier this month is an actively exploited vulnerability in Chromium-based browsers (CVE-2022-3723) that was plugged in by Google as part of an update that did not work on end of last month.
Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News: “The important news is that two old CVE zero-day bugs affecting Exchange Server, were announced in late September. , was finally fixed.
“Customers should update their Exchange Server systems immediately, regardless of whether or not any previously recommended mitigation steps have been applied. Mitigation rules are no longer recommended after the system has been patched.”
The list of actively exploited vulnerabilities, allowing elevated privileges and remote code execution, is as follows –
CVE-2022-41040 (CVSS Score: 8.8) – Microsoft Exchange Server Elevated Privilege Vulnerability (aka ProxyNotShell)
CVE-2022-41082 (CVSS Score: 8.8) – Microsoft Exchange Server Elevated Privilege Vulnerability (aka ProxyNotShell)
CVE-2022-41128 (CVSS Score: 8.8) – Windows Scripting Language Remote Code Execution Vulnerability
CVE-2022-41125 (CVSS Score: 7.8) – Windows CNG Key Isolation Service Elevate Privilege Vulnerability
CVE-2022-41073 (CVSS Score: 7.8) – Windows Print Spooler Privilege Vulnerability Height
CVE-2022-41091 (CVSS Score: 5.4) – Windows Mark of the Web Security Web Security Bypass Vulnerability
Benoît Sevens and Clément Lecigne of the Google Threat Analysis Team (TAG) have been reported to report CVE-2022-41128, which resides in the JScript9 component and occurs when a tricked target visits a page specially designed website.
CVE-2022-41091 is one of two security vulnerabilities in Windows Mark of the Web (MoTW) that have come to light over the past few months. It was recently discovered to be weaponized by ransomware agent Magniber to target users with Software updates fake.
“An attacker can create a malicious file to evade Mark of the Web (MotW) protections, resulting in loss of integrity and availability of security features such as Protected View. protection in Microsoft Office, based on MotW tagging,” Microsoft said in an advisory.
The second MotW vulnerability that needs addressing is CVE-2022-41049 (aka ZippyReads). Reported by security researcher Will Dormann of Analygence, it involves not being able to set the Mark of the Web flag for extracted archives.
Kev Breen, director of cyber threat research at Immersive Labs, said two vulnerabilities privilege escalation in the Print Spooler and the CNG Key Isolation Service could potentially be abused by threat actors as a follow-up to the initial compromise and gain SYSTEM privileges.
“This higher level of access is required to disable or spoof security monitoring tools before performing credential attacks with tools like Mimikatz that could allow attackers to work moves across the network,” added Breen.
The other four Critical-rated vulnerabilities in the November patch that deserve to be pointed out are the elevation of privilege vulnerability in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Exchange Server. (CVE-2022-41080 ), and a denial of service vulnerability affecting Windows Hyper-V (CVE-2022-38015).
The list of fixes for critical vulnerabilities is followed by four remote code execution vulnerabilities in Point-to-Point Tunneling Protocol (PPTP), all with a CVSS score of 8.1 (CVE-2022). -41039, CVE-2022-41088 and CVE-2022-41044) and another Windows scripting language JScript9 and Chakra (CVE-2022-41118).
In addition to these issues, the Patch Tuesday update also resolves several remote code execution bugs in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as some privilege escalation bugs in Win32k, Overlay Filters and Group Policy.
Software patch from other suppliers
In addition to Microsoft, security updates have also been released by other vendors since the beginning of the month to fix a number of vulnerabilities, including –