Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.
12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week.
Also separately addressed in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as part of an out-of-band update late last month.
"The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed," Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News.
"Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched."
The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows -
- CVE-2022-41040 (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41082 (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
- CVE-2022-41128 (CVSS score: 8.8) - Windows Scripting Languages Remote Code Execution Vulnerability
- CVE-2022-41125 (CVSS score: 7.8) - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
- CVE-2022-41073 (CVSS score: 7.8) - Windows Print Spooler Elevation of Privilege Vulnerability
- CVE-2022-41091 (CVSS score: 5.4) - Windows Mark of the Web Security Feature Bypass Vulnerability
Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 component and occurs when a target is tricked into visiting a specially crafted website.
CVE-2022-41091 is one of the two security bypass flaws in Windows Mark of the Web (MoTW) that came to light over the past few months. It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.
"An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging," Microsoft said in an advisory.
The second MotW flaw to be resolved is CVE-2022-41049 (aka ZippyReads). Reported by Analygence security researcher Will Dormann, it relates to a failure to set the Mark of the Web flag to extracted archive files.
The two privilege escalation flaws in Print Spooler and the CNG Key Isolation Service are likely to be abused by threat actors as a follow-up to an initial compromise and gain SYSTEM privileges, Kev Breen, director of cyber threat research at Immersive Labs, said.
"This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like Mimikatz that can allow attackers to move laterally across a network," Breen added.
Four other Critical-rated vulnerabilities in the November patch worth pointing out are privilege elevation flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966), and Microsoft Exchange Server (CVE-2022-41080), and a denial-of-service flaw affecting Windows Hyper-V (CVE-2022-38015).
The list of fixes for Critical flaws is tailended by four remote code execution vulnerabilities in the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044), and another impacting Windows scripting languages JScript9 and Chakra (CVE-2022-41118).
In addition to these issues, the Patch Tuesday update also resolves a number of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as a handful of privilege escalation bugs in Win32k, Overlay Filter, and Group Policy.
Software Patches from Other Vendors
Microsoft aside, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —
- Google Chrome
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Schneider Electric
- Trend Micro
- VMware, and