Microsoft’s November 2022 Patch Tuesday
Fixes for 64 vulnerabilities were made available by Microsoft on Tuesday, including two zero-day NotProxyShell flaws that were reported at the beginning of October but were not fixed throughout that month. Six of the vulnerabilities that needed to be fixed were assessed to be zero-days, 11 were deemed to be serious, and 53 were deemed to be significant.
Because the security community believed that Microsoft’s October patch cycle would include patches for two serious zero-day NotProxyShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082), the announcement of Microsoft’s November Patch Tuesday was widely anticipated.
Given the larger-than-usual number of zero-day vulnerabilities that will be addressed in November, the next update is of essential relevance. The Windows manufacturer has published patches to patch six previously identified security flaws. Dustin Childs, leader of Trend Micro’s Zero Day Initiative, said that Microsoft fixed more vulnerabilities in 2022 than in 2021 (1,200), making 2022 the “second-busiest year ever for updates”
Here is a rundown of the November patch list:
- A rise in privilege-related vulnerabilities that allow for remote code execution, as measured by elevation of privilege (EoP) 26 (RCE)
- Distributing Information
- Protections 4 In addition to the by-pass, there were also six DoS attacks (SFB)
- Third parody
Bharat Jogi, head of vulnerability and threat research at Qualys, said in an interview with Spiceworks that “as we approach the holiday season, security teams must be on high alert and extra vigilant, as attackers tend to increase their operations during this time” (e.g., Log4j, SolarWinds, etc.). Even if a corporation has fixed a vulnerability, it is possible for malicious actors to exploit a publicly revealed zero-day vulnerability.
CVE-2022-41040 and CVE-2022-41082 NotProxyShell
Spice works asserts that two Exchange Server NotProxyShell vulnerabilities have been “heavily exploited” by hostile actors. Mike Walters, vice president of vulnerability and threat research at Action1, uncovered these flaws.
CVE-2022-41082 is a remote code execution flaw (RCE), while CVE-2022-41040 is a server-side request forgery flaw (RF) that permits privilege escalation (CVSS: 8.8). “Microsoft has now revealed remedies for the ‘ProxyNotShell’ flaws that are being heavily abused by Chinese threat actors,” stated Spurti Preetham Gurram, Senior Product Manager at Automox.
If you utilise susceptible on-premises or hybrid exchange servers for which interim mitigation has not been provided, we suggest implementing updates within 24 hours. The elevation of privilege and remote code execution vulnerabilities were not made public and exploited until late September. After NotProxyShell was published a month ago, Walters told Spiceworks that attackers are constructing web shells on compromised servers using the zero-day combo in order to exfiltrate data and move laterally to other systems on the affected network.
“Despite Microsoft’s admission that ProxyNotShell actively exploited the vulnerabilities in targeted attacks on at least 10 important firms,” Walters stated, “the company waited more than two months to offer the remedy.
CVE-2022-41091
CVE-2022-41091 is an SFB vulnerability that circumvents Windows’ Mark of the Web (MotW) defences. This zero-day vulnerability has been present in the great majority of Windows versions (10, 11, and Server 2016-2022) since July 2022, despite its low CVSS score of 5.4. It is widely used for business applications.
“MotW is an important security precaution that may assist protect end users and notify them if they attempt to download stuff from unreliable sources. Windows appends MotW flags to executables and downloaded files that originate from an untrusted source. Peter Pflaster, manager of technical product marketing at Automox, explains that activating this flag notifies Windows, Office, web browsers, and other applications that the file is not trusted, pushing them to alert end users.
By exploiting the zero-day vulnerability, attackers might deceive users into opening infected files through phishing emails or hacked websites, or they could host malicious files meant to circumvent the security feature that warns users when they try to open a potentially dangerous file. According to many accounts, this security flaw was found in July 2022 but has not yet been addressed. As the vulnerability is now being actively exploited, we recommend patching it as soon as possible, especially within the next 24 hours.
CVE-2022-41073
Microsoft is still addressing PrintNightmare-related issues. According to Walters, an attacker might exploit this vulnerability to obtain local control of the targeted server or PC.
CVE-2022-41073 is a Windows Print Spooler service vulnerability that has existed in every Windows edition from Windows 7 and Windows Server 2008 R2. As with earlier PrintNightmare vulnerabilities, Walters said, stopping the print spooler service may alleviate the consequences of CVE-2022041073. However, you will be unable to print anything on your computer if this happens. Instead of waiting until a new PrintNightmare fix is released next month, the most recent Microsoft patch should be deployed. Walters made a joke about the frequency of PrintNightmare in the past when questioned about it.
“Attackers having local access to a susceptible device, which is often obtained by social engineering, credential stuffing, or other password-related assaults, may execute a straightforward attack to get SYSTEM rights,” Pflaster told Spiceworks. An attacker with SYSTEM rights may do everything they want, including concealing their tracks, moving on to more lucrative targets, inspecting and stealing sensitive or valuable data, etc.
CVE-2022-41125
CVE-2022-41125 is exploitable owing to its CVSS score of 7.8 and simplicity of attack. Users must apply the update immediately, since the EoP vulnerability in Windows Cryptography Next Generation (CNG) is being actively exploited.
Gina Geisel, product marketing manager at Automox, told Spiceworks that the CVE-2022-41125 vulnerability “exposes industry-leading Windows versions and potentially have extensive effects.” Windows 10, Windows 11, Windows 8.0, Windows 7.0, Windows Server 2008, 2012, 2016, 2019, and 2022 Azure are included.
CVE-2022-41128
The JScript9 programming language is susceptible to the CVE-2022-41128 vulnerability, which has a CVSS severity rating of 8.8. This bug affects all versions of Windows, beginning with Windows XP.
This vulnerability, identified by Walters as CVE-2022-41128, “uses the network vector, has low complexity, and does not require authorization to exploit, but it requires human interaction, such as sending a phishing email to convince the victim to visit a malicious server share or website,” he writes.