November 2022 Patch Tuesday for windows 11
Microsoft patched four zero-day vulnerabilities that were being exploited in the wild on this particular November 2022 Patch Tuesday for Windows 11. Two severe zero-day NotProxyShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) were anticipated to be addressed in Microsoft’s October patch cycle; hence, the security community eagerly anticipated the company’s November Patch Tuesday.
With more important zero-day vulnerabilities being fixed than normal in November, the next Patch Tuesday in November is of the utmost significance. The Windows developer has patched six zero-day vulnerabilities. Microsoft’s November patchload is in line with predictions, but Dustin Childs, president of Trend Micro’s Zero Day Initiative, noted that the overall number of vulnerabilities addressed in 2022 (1,300) surpassed that of 2021 (1,200), making it Microsoft’s “second-busiest year ever for fixes.”
CVE-2022-41073 – Elevation of Privilege in Windows Print Spooler
Microsoft has published a patch for yet another Windows Print Spooler vulnerability this month, but this one is important since it was the first to be exploited by bad actors. Since the summer 2022 Print Nightmare attacks, other Print Spooler vulnerabilities have been addressed, but it seems that attackers are starting to take notice.
In view of the success ransomware groups and other threat actors have had with Print Nightmare, Tenable’s senior staff research engineer Satnam Narang expects that the Windows Print Spooler will become one of the most alluring targets for privilege escalation and remote code execution. He says, “We have long warned that after Print Nightmare unlocked Pandora’s box, Windows Print Spooler vulnerabilities will return to attack organizations.
CVE-2022-41073 affects the Windows Print Spooler service starting with Windows 7 and Windows Server 2008 R2. As with previous Print Nightmare vulnerabilities, stopping the print spooler service may reduce the effects of CVE-2022041073, according to Walters.
CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege
It opens a new window, has a CVSS score of 7.8, and may be exploited using a rather straightforward way. Due to the fact that the EoP vulnerability is a component of Windows Cryptography Next Generation (CNG) and is currently being exploited, it is essential to install the update.
Gina Geisel, manager of product marketing at Automox, told Spiceworks that the vulnerability CVE-2022-41125 “exposes industry-leading versions of Windows and may have far-reaching consequences.” Windows 10, 11, 8.0, 7.0, Server 2008, 2012, 2016, 2019, and Azure 2022 are impacted versions.
Since exploiting this vulnerability requires just low privileges and a local attack vector, the user is not obliged to take any action. This flaw can only be exploited if an attacker gets access to the victim’s computer and executes specially written software in an elevated environment.
CVE-2022-41128 – Remote Code Execution in the Windows Sprinting Language
JScript9 has a vulnerability described as CVE-2022-41128. This vulnerability has a CVSS severity rating of 8.8. The problem affects all Windows versions, even older ones.
CVE-2022-41128, according to Walters, “uses the network vector, has little complexity, and requires no authorisation to exploit, but it requires user interaction,” such as when an attacker sends a phishing email in an effort to fool a victim into accessing a malicious server share or website.
CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass
CVE-2022-41091 The SFB security bug “Opening a new window” circumvents Windows’ Mark of the Web (MotW) defences. This zero-day vulnerability, which has a relatively low CVSS score of 5.4, has been present in the great majority of Windows versions (10, 11, and Server 2016-2022) since July 2022. It is now being used in an exploitative way.
MotW is a vital security component since it protects users and alerts them of any data downloads from unauthorized sources. Windows adds MotW flags to downloaded files and executables that originate from an untrusted source. Peter Pflaster, the technical product marketing manager for Automox, explains that activating this flag alerts Windows, Office, online browsers, and other programmes that the file should not be trusted, prompting the display of suitable warnings to the end user.
In order to exploit the zero-day vulnerability, attackers may deceive users into opening infected files through phishing emails or hacked websites, and they may even host malicious files tailored to avoid the security warning system. According to many accounts, the vulnerability was found and publicized in July of 2022, but it has yet to be fixed. Since it is now being aggressively misused, we recommend resolving the issue within the next day.
CVE-2022-41040 and CVE-2022-41082 – Microsoft Exchange Server Elevation of Privilege and Remote Code Execution
CVE-2022-41040 is a server-side request forgery flaw that permits privilege escalation, whereas CVE-2022-41082 is a remote code execution vulnerability (CVSS: 6.3). Microsoft has now issued updates for the ‘ProxyNotShell’ vulnerabilities, which have been exploited by Chinese threat actors, according to Spurti Preetham Gurram, Senior Product Manager at Automox Opens in a new window.
If you have susceptible on-premises or hybrid exchange servers for which interim mitigation has not been provided, we suggest installing updates within 24 hours. The elevation of privilege and remote code execution vulnerabilities have been publicised and exploited since late September.
After NotProxyShell was made public a month ago, Walters reported to Spiceworks that attackers are using the zero-day combo to establish web shells on compromised servers in order to exfiltrate data and move laterally to other systems on the compromised network.
Zero-day and critical vulnerabilities from November Patch Tuesday
The CVSS scores and descriptions of the first six zero-day and critical vulnerabilities fixed in the November Patch Tuesday are provided below.
Gareth Lindahl-Wise, chief security counsel at Tiberium, said, “Six actively exploited zero days in a single cycle is quite high” (out of a total of 12 severe vulnerabilities, 13 if you include the previously discovered one in Azure CLI by GitHub). A CISO’s wish list is unlikely to contain “privilege execution,” “remote code execution,” and “first compromise.” Determine, prioritise, and repair are the three processes involved in implementing preventive measures. Ensure that your CVE detection and response knowledge is geared to these particular vulnerabilities in addition to more broad techniques.
The November Patch Tuesday also contains fixes for three previously disclosed vulnerabilities uncovered by GitHub, as well as the OpenSSL version 3.0.7 remedy for two vulnerabilities graded as serious.There is a newly opened tab, and AMD has a newly opened tab.