Let’s face it: having “election 2022” in the headline above is probably the only reason anyone would read this story today. Yet, while most of us here in the United States eagerly await the results of how we fixed our democracy, it seems fitting that Microsoft Corp. today released heaps of security patches for its ubiquitous the Windows Operating systems. The November patch bundle includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Probably the scariest zero-day flaw is CVE-2022-41128, a “critical” weakness in Windows scripting languages that could be used to impose malware on vulnerable users who do nothing more than browse a site. hacked or malicious that exploits weakness. Microsoft Credits Google with reporting the vulnerability, which got a CVSS score of 8.8.
CVE-2022-41073 is a zero-day flaw in the Windows Print Spoolera Windows component that Microsoft has heavily patched over the past year. Kevin BreenDirector of Cyber Threat Research at Immersive labsnoted that the print spooler has been a popular target for vulnerabilities over the past 12 months, which marks the 9th patch.
The third Microsoft zero-day patch this month is CVE-2022-41125, which is an “elevation of privilege” vulnerability in the Windows Cryptography: Next Generation (CNG) Key Isolation Service API, a service that allows isolate private keys. Satnam Narangsenior research engineer at Defensiblesaid that exploiting this vulnerability could grant an attacker SYSTEM privileges.
The fourth zero-day, CVE-2022-41091, was already leaked and widely reported in October. This is a bypass of the security feature of “Windows Mark of the Web” – a mechanism to flag files from an untrusted source.
The other two zero-day bugs fixed by Microsoft this month were for vulnerabilities exploited in Exchange server. News that these two Exchange flaws were being exploited in the wild surfaced in late September 2022, and many were surprised when Microsoft let the October patch pass on Tuesday without releasing official fixes for them (the company instead issued instructions mitigation that she was forced to revise several times). Today’s patch bundle resolves both of these issues.
Greg Wisemanproduct manager at Quick7stated that the Exchange CVE-2022-41040 flaw is a “critical” elevation of privilege vulnerability, and that CVE-2022-41082 is considered significant, allowing remote code execution (RCE) when PowerShell is accessed to the attacker.
“Both vulnerabilities were exploited in the wild,” Wiseman said. “Four other CVEs affecting Exchange Server were also resolved this month. Three are rated as important and CVE-2022-41080 is another privilege escalation vulnerability rated as critical. Customers are advised to update their Exchange Server systems immediately, whether or not the previously recommended mitigations have been applied. Mitigation rules are no longer recommended once systems have been patched.
Adobe usually releases security updates for its products on Patch Tuesday, but not this month. For a more in-depth look at the patches released by Microsoft today, and indexed by severity and other metrics, check out the always-helpful Patch Tuesday roundup of the Internet Storm Center WITHOUT. And it’s not a bad idea to delay the update for a few days until Microsoft fixes the issues in the updates: AskWoody.com usually has the list of patches that can cause problems for users of Windows.
As always, consider backing up your system or at least your important documents and data before applying system updates. And if you have any issues with these updates, please leave a note about it here in the comments.
#Patch #Tuesday #November #Election #Edition #Krebs #Security