November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities.
Fixes to prioritize
CVE-2022-41091 is a Windows zero-day vulnerability that allows attackers to bypass the Mark of the Web (MOTW) security feature. They can craft a malicious file triggering the flaw and deliver it either via a malicious or compromised website or via email or instant message.
“In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment,” Microsoft says, but it has nevertheless been successfully exploited by different attackers in the wild.
And, according to Beaumont, another MOTW bypass vulnerability (CVE-2022-41049) fixed this Patch Tuesday is being exploited in the wild – though Microsoft didn’t confirm it.
Then there’s CVE-2022-41128, a remote code execution flaw in Windows Scripting Languages.
“An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user,” commented Dustin Childs, with Trend Micro’s Zero Day Initiative.
“Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.”
Also under active exploitation: CVE-2022-41073, a Windows Print Spooler elevation of privilege (EoP) bug reported by Microsoft’s own threat intelligence analysts, and CVE-2022-41125, an EOP in the Windows CNG Key Isolation Service.
What else?
Obviously, the “ProxyNotShell” Microsoft Exchange Server flaws need to be patched as soon as possible due to in-the-wild exploitation, and the fact that Microsoft has stumbled with the provided mitigations.
“It’s been over a month since these flaws were disclosed. While the impact of ProxyNotShell is limited due to the authentication requirement, the fact that it has been exploited in the wild and that attackers are capable of obtaining valid credentials still make these important flaws to patch,” commented Satnam Narang, senior staff research engineer at Tenable.
Childs also noted that Microsoft has fixed four additional bugs in Exchange Server this month. “I have a strong premonition many Exchange administrators have a long weekend in front of them,” he added.
Finally, CVE-2022-38023 (an EoP flaw in Netlogon RPC) is not being exploited, but a fix for it should be implemented before Microsoft enforces the necessary updates in July 2023.
UPDATE (November 8, 2022, 17:05 a.m. ET):
This article has been amended to clear up potential confusion between the two fixed MOTW bypass flaws.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.