Fixes for 6 zero-days under active exploitation are now available from Microsoft

Fixes for 6 zero-days under active exploitation are now available from Microsoft

The phrase Zero Day can be spotted on a monochrome computer screen cluttered with ones and zeros.

It’s the second Tuesday of the month, which means it’s Update Tuesday, the monthly release of security patches available for nearly all Microsoft-supported software. This time around, the software maker patched six zero days under an active-in-the-wild exploit, along with a wide range of other vulnerabilities that pose a threat to end users.

Two of the zero-day vulnerabilities are very serious vulnerabilities in Exchange that, when used together, allow hackers to execute malicious code on servers. Tracked as CVE-2022-41040 and CVE-2022-41082, these vulnerabilities were disclosed in September. At the time, researchers in Vietnam reported that they had been used to infect on-premises Exchange servers with web shells, the text-based interfaces that allow users to execute commands remotely.

Better known as ProxyNotShell, the vulnerabilities affect on-premises Exchange servers. Shodan research at the time Zero Days became public showed around 220,000 servers were vulnerable. Microsoft said in early October that it was aware of only one threat actor exploiting the vulnerabilities and that the actor had targeted fewer than 10 organizations. The threat actor is fluent in Simplified Chinese, suggesting he has a connection to China.

A third zero-day is CVE-2022-41128, a critical Windows vulnerability that also allows a malicious actor to execute malicious code remotely. The vulnerability, which works when a vulnerable device accesses a malicious server, was discovered by Clément Lecigne of Google’s Threat Analysis Group. Because TAG tracks nation-state-backed hacking, the finding likely means government-backed hackers are behind zero-day exploits.

Two other zero-day flaws are privilege escalation vulnerabilities, a class of vulnerability that, when paired with a separate vulnerability or used by someone who already has limited system privileges on a device, elevates system rights to those needed to install code, access passwords and take control of a device. As application and operating system security has improved over the past decade, so-called EoP vulnerabilities have risen to prominence.

CVE-2022-41073 affects the Microsoft Print Spooler, while CVE-2022-41125 resides in the Windows CNG Key Isolation Service. Both EoP vulnerabilities were discovered by the Microsoft Security Threat Intelligence team.

The last patched zero-day this month is also in Windows. CVE-2022-41091 allows hackers to create malicious files that evade Mark of the Web defenses, which are designed to work with security features such as Protected View in Microsoft Office. Will Dormann, Principal Vulnerability Analyst at security firm ANALYGENCE, discovered the bypass technique in July.

In total, this month’s Tuesday update fixed a total of 68 vulnerabilities. Microsoft assigned a “critical” severity rating to 11 of them, with the rest rated “important.” Patches usually install automatically within about 24 hours. Those who want to install updates immediately can go to Windows > Settings > Updates & Security > Windows Update. Microsoft’s full rundown is here.


#Fixes #zerodays #active #exploitation #Microsoft

Leave a Comment

Your email address will not be published. Required fields are marked *