As part of November’s Update Tuesday, Microsoft fixed 68 vulnerabilities in its products, including six zero-day problems that the attackers had already exploited, and released patches for ProxyNotShell.
Of the 68 vulnerabilities, 11 were classified as “critical” because they could allow privilege escalation, spoofing, or remote arbitrary code execution. In addition, this month the developers fixed six 0-day vulnerabilities at once.Let me remind you that the term “critical” is used to vulnerabilities, information about which was either publicly disclosed before the release of the patches, or the problems were already actively exploited by hackers. In this case, all six of the bugs listed below have already been exploited by attackers.
- CVE-2022-41128: A remote code execution vulnerability in Windows scripting languages. Discovered by experts from the Google Threat Analysis Group. To exploit the bug, a user with a vulnerable version of Windows must gain access to a malicious server or attacker’s website.
- CVE-2022-41091: Windows Mark of the Web bypass vulnerability discovered by cybersecurity expert Will Dormann. So, a special malicious file can bypass Mark of the Web (MoTW) protection, which, for example, will stop the Protected View mode in Microsoft Office.
- CVE-2022-41073: A privilege escalation issue in Windows Print Spooler was identified by Microsoft Threat Intelligence Center (MSTIC) analysts. An attacker who successfully exploited this vulnerability is reported to be able to gain SYSTEM privileges.
- CVE-2022-41125: Privilege escalation in Windows CNG Key Isolation Service, also discovered by MSTIC and Microsoft Security Response Center (MSRC). As in the previous case, an attacker who successfully exploited the vulnerability could gain SYSTEM privileges.
Two other fixed zero-day issues (CVE-2022-41040 and CVE-2022-41082) are better known collectively as ProxyNotShell.
Let me remind you that these bugs, discovered by analysts from the Vietnamese company GTSC, became known back in September of this year. It took Microsoft almost two months to create patches, and before the release of fixes, the company gave only detailed recommendations on mitigating the ProxyNotShell problem.
Also this week, other companies released updates for their products. So, patches and fixes were presented:
- Apple: released Xcode 14.1 with numerous security updates;
- Cisco: has released security updates for a number of its products;
- Citrix: published patches for critical authentication bypass vulnerability in Citrix ADA and Gateway;
- Google: introduced the November update for Android;
- OpenSSL: released patches for issues CVE-2022-3602 and CVE-2022-3786;
- SAP: introduced November 2022 updates.