Microsoft November 2022 Patch Tuesday addresses six exploited zero-days

Includes 11 critical vulnerabilities and 22 classified as 'likely to be exploited'

Microsoft November 2022 Patch Tuesday addresses six exploited zero-days

Image:
Microsoft November 2022 Patch Tuesday addresses six exploited zero-days

Microsoft has rolled out a new batch of security updates for its software as part of the November 2022 Patch Tuesday, addressing a total of 68 vulnerabilities - including six actively exploited Windows bugs.

Eleven vulnerabilities fixed this month are classified as 'Critical' in severity, as they enable attackers to achieve remote code execution, privilege elevation or spoofing.

Another 22 flaws have been classified as 'more likely to be exploited' than not.

In all, the November security update includes patches for 27 elevation of privilege (EoP) bugs, 16 remote code execution (RCE) vulnerabilities, 11 information disclosure bugs, six denial of service bugs, four security feature bypass bugs and three spoofing bugs.

Two OpenSSL bugs discovered earlier this month are not included in the above figures.

Based on the number of vulnerabilities fixed, this month's security update is a rather light Patch Tuesday.

Last month, Microsoft addressed 84 security bugs in its Patch Tuesday update. However, this is the first time in more than a year that such a large number of vulnerabilities are known to be used by malicious actors, making it crucial for Microsoft customers to patch their devices as soon as possible.

Actively exploited

As earlier mentioned, this month's Patch Tuesday addresses six actively used zero-day vulnerabilities.

One of them is CVE-2022-41128, a Windows Scripting Languages Remote Code Execution (RCE) bug in the JScript9 scripting language engine, identified by Clément Lecigne of Google's Threat Analysis Group.

To exploit this bug, an attacker would need to mislead a user with an unpatched version of Windows into visiting a specially crafted website or server share, most likely via the use of a phishing link or download.

"This is a good example of a remote code execution vulnerability that exists in the JScript9 component and should be high on the list of items to patch," said Kev Breen, Director of Cyber Threat Research at Immersive Labs.

"This kind of exploit is ideal for attackers looking to gain an initial foothold into a network where they can target many users at scale and only need one successful interaction to gain access. These attacks exploit the human element, and it's why it's so important to give workforces skills and capabilities to spot and avoid such attacks."

Another issue under active exploit and that has now been fixed is a Windows Mark of the Web (MOTW) bypass vulnerability (CVE-2022-41091).

An adversary may craft a malicious file capable of evading the MOTW protections. This will result in a limited loss of integrity and the availability of security features like Protected View in Microsoft Office, which rely on MOTW tagging.

CVE-2022-41073, yet another bug listed under active exploit, is a Windows print spooler elevation of privilege vulnerability discovered by Microsoft Threat Intelligence Center (MSTIC).

"Despite there being several Print Spooler related vulnerabilities disclosed by security researchers since last year, it appears that CVE-2022-41073 is the first Print Spooler vulnerability post PrintNightmare that was first exploited in the wild by attackers," said Satnam Narang, Senior Staff Research Engineer at Tenable.

"We've long warned that once Pandora's box was open with PrintNightmare, that flaws within Windows Print Spooler would come back to haunt organisations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution."

CVE-2022-41125 is a Windows CNG key isolation service elevation of privilege vulnerability, which was exploited in the wild by attackers. This bug could enable an attacker to gain System privileges. It was discovered by Microsoft Threat Intelligence Center and the Microsoft's Security Response Center.

Additionally, Microsoft has now patched the two Exchange Server vulnerabilities (CVE-2022-41082 and CVE-2022-41040) known as ProxyNotShell that were first exploited in August.

CVE-2022-41082 is an RCE vulnerability and CVE-2022-41040 is a server-side request forgery bug.

Although the authentication requirement limits the effect of ProxyNotShell, the fact that it has been used in the wild and that attackers are capable of obtaining legitimate credentials makes these bugs important to patch.