Microsoft’s most up-to-date spherical of every month security updates has been unveiled with fixes for 68 vulnerabilities spanning its software package portfolio, including patches for six actively exploited zero-days.
12 of the issues are rated Critical, two are rated Significant, and 55 are rated Crucial in severity. This also includes the weaknesses that had been closed out by OpenSSL the preceding week.
Also separately addressed at the begin of the month is an actively exploited flaw in Chromium-primarily based browsers (CVE-2022-3723) that was plugged by Google as part of an out-of-band update late final month.
“The big information is that two more mature zero-day CVEs affecting Exchange Server, designed general public at the end of September, have last but not least been fixed,” Greg Wiseman, product or service supervisor at Swift7, said in a assertion shared with The Hacker News.
“Prospects are recommended to update their Trade Server units promptly, irrespective of regardless of whether any beforehand recommended mitigation methods have been applied. The mitigation rules are no lengthier advisable when devices have been patched.”
The list of actively exploited vulnerabilities, which allow for privilege elevation and remote code execution, is as follows –
- CVE-2022-41040 (CVSS score: 8.8) – Microsoft Trade Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41082 (CVSS rating: 8.8) – Microsoft Trade Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41128 (CVSS score: 8.8) – Windows Scripting Languages Distant Code Execution Vulnerability
- CVE-2022-41125 (CVSS rating: 7.8) – Windows CNG Crucial Isolation Support Elevation of Privilege Vulnerability
- CVE-2022-41073 (CVSS score: 7.8) – Windows Print Spooler Elevation of Privilege Vulnerability
- CVE-2022-41091 (CVSS score: 5.4) – Windows Mark of the Web Security Function Bypass Vulnerability
Benoît Sevens and Clément Lecigne of Google’s Risk Investigation Team (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 element and happens when a goal is tricked into visiting a specially crafted web site.
CVE-2022-41091 is a person of the two security bypass flaws in Windows Mark of the Web (MoTW) that arrived to mild in recent months. It was not too long ago identified as weaponized by the Magniber ransomware actor to concentrate on people with bogus software package updates.
“An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, resulting in a constrained loss of integrity and availability of security features these kinds of as Guarded Perspective in Microsoft Business office, which count on MotW tagging,” Microsoft reported in an advisory.
The second MotW flaw to be fixed is CVE-2022-41049 (aka ZippyReads). Reported by Analygence security researcher Will Dormann, it relates to a failure to established the Mark of the Web flag to extracted archive documents.
The two privilege escalation flaws in Print Spooler and the CNG Important Isolation Services are most likely to be abused by danger actors as a follow-up to an preliminary compromise and acquire Process privileges, Kev Breen, director of cyber risk study at Immersive Labs, mentioned.
“This better amount of access is essential to disable or tamper with security monitoring equipment before running credential attacks with tools like Mimikatz that can permit attackers to go laterally across a network,” Breen extra.
Four other Critical-rated vulnerabilities in the November patch really worth pointing out are privilege elevation flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Trade Server (CVE-2022-41080), and a denial-of-service flaw influencing Windows Hyper-V (CVE-2022-38015).
The checklist of fixes for Critical flaws is tailended by four distant code execution vulnerabilities in the Level-to-Issue Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044), and a different impacting Windows scripting languages JScript9 and Chakra (CVE-2022-41118).
In addition to these issues, the Patch Tuesday update also resolves a range of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office environment Graphics, SharePoint Server, and Visible Studio, as perfectly as a selection of privilege escalation bugs in Acquire32k, Overlay Filter, and Group Coverage.
Software package Patches from Other Suppliers
Microsoft apart, security updates have also been produced by other distributors due to the fact the commence of the thirty day period to rectify quite a few vulnerabilities, which includes —
- Google Chrome
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Schneider Electric powered
- Pattern Micro
- VMware, and
Found this short article appealing? Observe THN on Fb, Twitter and LinkedIn to study more distinctive articles we publish.
Some components of this report are sourced from: