Microsoft’s newest spherical of regular security updates has been launched with fixes for 68 vulnerabilities spanning its application portfolio, which includes patches for six actively exploited zero-times.
12 of the issues are rated Critical, two are rated Large, and 55 are rated Important in severity. This also consists of the weaknesses that were closed out by OpenSSL the previous 7 days.
Also independently addressed at the start of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as element of an out-of-band update late previous month.
“The major news is that two older zero-working day CVEs impacting Exchange Server, made general public at the stop of September, have finally been fastened,” Greg Wiseman, solution supervisor at Immediate7, claimed in a assertion shared with The Hacker News.
“Customers are recommended to update their Exchange Server techniques right away, irrespective of whether or not any previously proposed mitigation actions have been used. The mitigation principles are no lengthier advisable as soon as systems have been patched.”
The listing of actively exploited vulnerabilities, which permit privilege elevation and remote code execution, is as follows –
- CVE-2022-41040 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41082 (CVSS score: 8.8) – Microsoft Trade Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41128 (CVSS score: 8.8) – Windows Scripting Languages Distant Code Execution Vulnerability
- CVE-2022-41125 (CVSS score: 7.8) – Windows CNG Critical Isolation Services Elevation of Privilege Vulnerability
- CVE-2022-41073 (CVSS score: 7.8) – Windows Print Spooler Elevation of Privilege Vulnerability
- CVE-2022-41091 (CVSS score: 5.4) – Windows Mark of the Web Security Characteristic Bypass Vulnerability
Benoît Sevens and Clément Lecigne of Google’s Danger Investigation Team (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 part and takes place when a focus on is tricked into browsing a specifically crafted web-site.
CVE-2022-41091 is one of the two security bypass flaws in Windows Mark of the Web (MoTW) that came to gentle in latest months. It was not too long ago found as weaponized by the Magniber ransomware actor to focus on users with fake software updates.
“An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, ensuing in a confined reduction of integrity and availability of security features these kinds of as Secured Check out in Microsoft Office environment, which count on MotW tagging,” Microsoft claimed in an advisory.
The next MotW flaw to be settled is CVE-2022-41049 (aka ZippyReads). Described by Analygence security researcher Will Dormann, it relates to a failure to set the Mark of the Web flag to extracted archive information.
The two privilege escalation flaws in Print Spooler and the CNG Essential Isolation Support are probably to be abused by menace actors as a observe-up to an initial compromise and acquire Technique privileges, Kev Breen, director of cyber menace investigation at Immersive Labs, reported.
“This greater amount of access is demanded to disable or tamper with security checking applications before running credential assaults with instruments like Mimikatz that can allow for attackers to move laterally across a network,” Breen included.
Four other Critical-rated vulnerabilities in the November patch well worth pointing out are privilege elevation flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Exchange Server (CVE-2022-41080), and a denial-of-company flaw affecting Windows Hyper-V (CVE-2022-38015).
The record of fixes for Critical flaws is tailended by four distant code execution vulnerabilities in the Level-to-Place Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044), and another impacting Windows scripting languages JScript9 and Chakra (CVE-2022-41118).
In addition to these issues, the Patch Tuesday update also resolves a quantity of distant code execution flaws in Microsoft Excel, Phrase, ODBC Driver, Office environment Graphics, SharePoint Server, and Visual Studio, as effectively as a quantity of privilege escalation bugs in Acquire32k, Overlay Filter, and Group Coverage.
Program Patches from Other Vendors
Microsoft aside, security updates have also been launched by other sellers since the commence of the month to rectify various vulnerabilities, which include —
- AMD
- Android
- Apple
- Cisco
- Citrix
- CODESYS
- Dell
- F5
- Fortinet
- GitLab
- Google Chrome
- HP
- IBM
- Intel
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Crimson Hat, SUSE, and Ubuntu
- MediaTek
- NVIDIA
- Qualcomm
- SAP
- Schneider Electrical
- Siemens
- Development Micro
- VMware, and
- WordPress
Discovered this write-up exciting? Adhere to THN on Facebook, Twitter and LinkedIn to read much more exceptional written content we post.
Some parts of this article are sourced from:
thehackernews.com