It’s the second Tuesday of the month, which means it’s Update Tuesday, the monthly release of security patches available for almost all software that Microsoft supports. This time, the software maker has fixed six zero-days under active exploitation in the wild, along with a wide variety of other vulnerabilities that pose a threat to end users.
Two of the zero-days are very serious vulnerabilities in Exchange that, when used together, allow hackers to execute malicious code on servers. These vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, were revealed in September. At the time, researchers in Vietnam reported that they had been used to infect on-premises Exchange servers with web shells, the text-based interfaces that allow people to run commands remotely.
The vulnerabilities, known as ProxyNotShell, affect on-premises Exchange servers. Shodan searches at the time the zero-days became publicly known revealed that about 220,000 servers were vulnerable. Microsoft said in early October that it was aware of only a single threat actor exploiting the vulnerabilities and that the actor had targeted less than 10 organizations. The threat actor is fluent in Simplified Chinese, which suggests he has some affiliation with China.
A third zero-day is CVE-2022-41128, a critical Windows vulnerability that also allows a threat actor to execute malicious code remotely. The vulnerability, which works when a vulnerable device gains access to a malicious server, was discovered by Clément Lecigne of Google’s Threat Analysis Group. Since TAG tracks hacking backed by nation-states, the discovery likely means government-backed hackers are behind the zero-day exploits.
Two more zero-days are privilege escalation vulnerabilities, a class of vulnerabilities that, when combined with a single vulnerability or used by someone who already has limited system privileges on a device, elevates system privileges to those necessary to code, access passwords and take control of a device. As the security of applications and operating systems has improved over the past decade, so-called EoP vulnerabilities have grown in importance.
CVE-2022-41073 affects the Microsoft print spooler, while CVE-2022-41125 is in the Windows CNG Key Isolation Service. Both EoP vulnerabilities were discovered by the Microsoft Security Threat Intelligence team.
The last zero-day fix this month is also in Windows. CVE-2022-41091 allows hackers to create malicious files that bypass the Mark of the Web defenses, which are designed to work with security features such as Protected View in Microsoft Office. Will Dormann, senior vulnerability analyst at security firm ANALYGENCE, discovered the bypass technique in July.
In total, this month’s Update Tuesday has fixed a total of 68 vulnerabilities. Microsoft gave 11 of them a “critical” priority rating, while the rest were rated “important.” Patches are generally installed automatically within about 24 hours. If you want to install updates right away, you can go to Windows > Settings > Updates and security > Windows Update. The full overview from Microsoft is here.