Microsoft’s newest spherical of month-to-month safety updates has been launched with fixes for 68 vulnerabilities spanning its software program portfolio, together with patches for six actively exploited zero-days.
12 of the problems are rated Important, two are rated Excessive, and 55 are rated Necessary in severity. This additionally contains the weaknesses that had been closed out by OpenSSL the earlier week.
Additionally individually addressed firstly of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as a part of an out-of-band replace late final month.
“The large information is that two older zero-day CVEs affecting Change Server, made public on the finish of September, have lastly been mounted,” Greg Wiseman, product supervisor at Rapid7, mentioned in a press release shared with The Hacker Information.
“Clients are suggested to replace their Change Server methods instantly, no matter whether or not any beforehand advisable mitigation steps have been utilized. The mitigation guidelines are not advisable as soon as methods have been patched.”
The record of actively exploited vulnerabilities, which permit privilege elevation and distant code execution, is as follows –
- CVE-2022-41040 (CVSS rating: 8.8) – Microsoft Change Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41082 (CVSS rating: 8.8) – Microsoft Change Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41128 (CVSS rating: 8.8) – Home windows Scripting Languages Distant Code Execution Vulnerability
- CVE-2022-41125 (CVSS rating: 7.8) – Home windows CNG Key Isolation Service Elevation of Privilege Vulnerability
- CVE-2022-41073 (CVSS rating: 7.8) – Home windows Print Spooler Elevation of Privilege Vulnerability
- CVE-2022-41091 (CVSS rating: 5.4) – Home windows Mark of the Net Safety Characteristic Bypass Vulnerability
Benoît Sevens and Clément Lecigne of Google’s Menace Evaluation Group (TAG) have been credited with reporting CVE-2022-41128, which resides within the JScript9 part and happens when a goal is tricked into visiting a specifically crafted web site.
CVE-2022-41091 is likely one of the two safety bypass flaws in Home windows Mark of the Net (MoTW) that got here to mild in current months. It was lately found as weaponized by the Magniber ransomware actor to focus on customers with faux software program updates.
“An attacker can craft a malicious file that might evade Mark of the Net (MotW) defenses, leading to a restricted lack of integrity and availability of safety features corresponding to Protected View in Microsoft Workplace, which depend on MotW tagging,” Microsoft mentioned in an advisory.
The second MotW flaw to be resolved is CVE-2022-41049 (aka ZippyReads). Reported by Analygence safety researcher Will Dormann, it relates to a failure to set the Mark of the Net flag to extracted archive information.
The 2 privilege escalation flaws in Print Spooler and the CNG Key Isolation Service are prone to be abused by menace actors as a follow-up to an preliminary compromise and acquire SYSTEM privileges, Kev Breen, director of cyber menace analysis at Immersive Labs, mentioned.
“This increased stage of entry is required to disable or tamper with safety monitoring instruments earlier than working credential assaults with instruments like Mimikatz that may permit attackers to maneuver laterally throughout a community,” Breen added.
4 different Important-rated vulnerabilities within the November patch value stating are privilege elevation flaws in Home windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Change Server (CVE-2022-41080), and a denial-of-service flaw affecting Home windows Hyper-V (CVE-2022-38015).
The record of fixes for Important flaws is tailended by 4 distant code execution vulnerabilities within the Level-to-Level Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044), and one other impacting Home windows scripting languages JScript9 and Chakra (CVE-2022-41118).
Along with these points, the Patch Tuesday replace additionally resolves quite a few distant code execution flaws in Microsoft Excel, Phrase, ODBC Driver, Workplace Graphics, SharePoint Server, and Visible Studio, in addition to quite a few privilege escalation bugs in Win32k, Overlay Filter, and Group Coverage.
Software program Patches from Different Distributors
Microsoft apart, safety updates have additionally been launched by different distributors because the begin of the month to rectify a number of vulnerabilities, together with —