Microsoft patched six zero-day vulnerabilities in its latest monthly security update, including a pair of critical bugs that have been exploited by threat actors for months.
The targeted zero-days are part of 68 security fixes for the company’s November patch Tuesday, with 11 flaws flagged as Critical, 55 as Important, and two OpenSSL vulnerabilities marked as High severity.
Two long-awaited fixes are for critical ProxyNotShell flaws that have been under attack since September. The bug listed as CVE-2022-41040 is a server-side request forgery flaw that allows remote code execution and the second, tracked as CVE-2022-41082, allows remote code execution when PowerShell is accessible to the attacker. The two bugs can be chained together to compromise Exchange Server.
“While the impact of ProxyNotShell is limited due to the authentication requirement, the fact that it has been exploited in the wild and that attackers are capable of obtaining valid credentials still make these important flaws to patch,” Satnam Narang, senior staff research engineer at Tenable told SC Media in an email.
Microsoft strongly advises users to apply the Exchange Server updates. It previously recommended mitigations to users, including the URL Rewrite rule and Disable remote PowerShell for non-admins, but those are no longer suggested.
The company also addressed Mark of the Web (MotW) vulnerabilities that have been widely discussed within the security community in the past few weeks. The bugs tracked as CVE-2022-41091 and CVE-2022-41049 are two separate flaws in different versions of Windows, with only the former being exploited in the wild, according to Microsoft.
MotW is a Windows feature designed to protect users against files from untrusted sources, and the two vulnerabilities allow attackers to bypass the defenses by crafting a malicious file.
“[Users] have probably seen this feature in action before. When [they] open a downloaded Word or Excel document, Windows opens it in ‘Protected View’ and warns users before allowing them to edit it,” Derek McCarthy, director of field engineering at NetRise, explained.
He told SC Media that since millions of Windows users have gotten used to these warnings and automatic blocking of suspicious files, attackers could have high success rates in delivering malicious payloads to users.
“MotW vulnerabilities have reportedly led to an increase in ransomware attacks, which is unfortunate,” Kristen Bell, director of application security at GuidePoint Security, added. “Security specialists have been preaching to users to take caution with any file they choose to open, download, or allow to execute on their machine.”
Another critical zero-day that has been actively under attack is CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages. To exploit the vulnerability, attackers need to lure victims to malicious web pages through additional techniques, such as phishing attacks.
Microsoft has not detailed the impact of the bug, but Scott Dowsett, field chief technology officer at Anomali, told SC Media that it could be popular as the holiday season approaches.
“I expect this vulnerability could become a problem for many unpatched users who click on well-crafted phishing emails masquerading as a ‘missed delivery notice,’” Dowsett said.
CVE-2022-41125 and CVE-2022-41073 are another two vulnerabilities that are being actively exploited and addressed by Microsoft Tuesday.
CVE-2022-41125 is a Windows CNG key isolation service elevation of privilege vulnerability, which grants attackers SYSTEM privileges on compromised devices.
CVE-2022-41073 is an elevation of privilege vulnerability in Windows Print Spooler, which gained notoriety following the disclosure of PrintNightmare flaws.
“We have long warned that once Pandora’s box was opened with PrintNightmare, flaws within Windows Print Spooler would come back to haunt organizations,” Narang said. “Based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution.”
