Microsoft has released fixes for six actively exploited zero-day vulnerabilities in its November Patch Tuesday drop, one of them publicly disclosed and three of them carrying critical Common Vulnerability Scoring System (CVSS) ratings.
These zero-days are among a total of 69 different vulnerabilities – 11 critical – that were patched in a slightly lighter than usual update, but one that may prove highly impactful for security teams due to the time of year.
“As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time – for example, Log4j, SolarWinds,” explained Bharat Jogi, director of vulnerability and threat research at Qualys.
“It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organisations have left unpatched.”
The sole publicly disclosed zero-day, which carries a CVSS score of 5.4, meaning it is considered important rather than critical, is CVE-2022-41091, which is a security feature bypass vulnerability in Windows Mark of the Web (MotW). A second MotW vulnerability, CVE-2022-41049, is also patched.
Mark of the Web is a feature that is supposed to flag files downloaded from the internet and prompt users with a security pop-up to confirm the file is trusted.
Satnam Narang, senior staff research engineer at Tenable, said: “Though it was not credited to any researcher in particular, this vulnerability was recently discovered as being exploited in the wild by the Magniber ransomware group as fake software updates, according to HP.”
While CVE-2022-41091 is not overly damaging in and of itself, it still warrants close attention as the MotW feature forms a key element of a defence-in-depth security strategy, as Tiberium chief security advisor Gareth Lindahl-Wise explained.
“MotW vulnerabilities could lead to degradation or bypass of inbuilt Office ‘Protected View’, which could smooth the way for malicious code to be triggered,” he said.
Out of these, remote code execution (RCE) vulnerability CVE-2022-41040 and elevation of privilege (EoP) vulnerability CVE-2022-41082 both affect Microsoft Exchange Server and, by their powers combined, form the attack chain known as ProxyNotShell.
ProxyNotShell – so named for its similarity to the ProxyShell attack chain – came to light in September but was not patched in the October update, ostensibly on the basis that in order to exploit it to the fullest, attackers had to have successfully authenticated to a vulnerable server.
“While the impact of ProxyNotShell is limited due to the authentication requirement, the fact that it has been exploited in the wild and that attackers are capable of obtaining valid credentials still make these important flaws to patch,” said Tenable’s Narang.
Meanwhile, CVE-2022-41128, an RCE vulnerability in Windows Scripting Languages, should also be prioritised because it is of low complexity, uses the network vector and does not need any additional privileges to exploit. It does, however, rely on manipulating a victim into visiting a malicious website.
“This kind of exploit is ideal for attackers looking to gain an initial foothold into a network where they can target many users at scale and only need one successful interaction to gain access,” said Kev Breen, director of cyber threat research at Immersive Labs.
“These attacks exploit the human element, and it’s why it’s so important to give workforces skills and capabilities to spot and avoid such attacks,” he added.
The two other zero-days, both rated important with CVSS scores of 7.8, are CVE-2022-41073, an EoP vulnerability in Windows Print Spooler, and CVE-2022-41125, an EoP vulnerability in Windows CNG Key Isolation Service.
“The print spooler has been a popular target for vulnerabilities in the past 12 months, with this marking the ninth patch,” said Breen at Immersive Labs.
“These kinds of privilege escalation vulnerabilities are almost always seen as a follow up to an initial compromise where threat actors will next seek to gain system- or domain-level access. This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like mimikatz that can allow attackers to move laterally across a network,” he said.