Microsoft’s November 2022 Patch Tuesday is a particularly important one, as the company has released fixes for four zero-day vulnerabilities, all of which are currently being exploited in the wild.
In total, the Redmond, Wash. software giant has released fixes for 62 security bugs, including nine rated critical and 53 rated important.
Here’s a look at some of the notable ones, including those four zero-days:
CVE-2022-41073 – Elevation of Privilege in Windows Print Spooler
Yet another vulnerability in Windows Print Spooler is patched this month, but this one stands out because it is the first such bug to be exploited in the wild by attackers. Several Print Spooler flaws have been patched since the PrintNightmare bugs from summer 2022, and it appears that attackers are catching on.
“We’ve long warned that once Pandora’s box was open with PrintNightmare, flaws within Windows Print Spooler would come back to haunt organizations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution,” says Satnam Narang, senior staff research engineer at Tenable.
Zero Day Initiative (ZDI) advises that disabling Print Spooler should be an effective workaround if users can deal with printing issues.
CVE-2022-41128 – Remote Code Execution in the Windows Sprinting Language
This bug affects Microsoft’s Jscript9 scripting language and requires user interaction, meaning an attacker would need to convince a victim running a vulnerable version of Windows to visit a specially crafted server share or website through some type of social engineering, according to Narang.
According to ZDI, the attacker could execute their code on an affected system at the level of the logged-on user.
CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege
This is another actively exploited bug, an elevation of privilege vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service. This is a service for isolating private keys hosted in the Local Security Authority (LSA) process. Exploitation of this vulnerability could grant an attacker SYSTEM privileges.
ZDI notes that an attacker would need to be authenticated, so it is likely paired with a remote code execution bug.
CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass
This is one of two security feature bypass vulnerabilities in Windows Mark of the Web (MoTW), a feature designed to flag files that have been downloaded from the internet and prompts users with a security warning. This is being actively exploited, so it’s another one to prioritize.
Narang, citing HP researchers, says this bug was recently discovered as being exploited in the wild by the Magniber ransomware group as fake software updates.
CVE-2022-41040 and CVE-2022-41082 – Microsoft Exchange Server Elevation of Privilege and Remote Code Execution
Microsoft has finally fixed these bugs, collectively known as ProxyNotShell. They are also being actively exploited in the wild, and can result in hands-on-keyboard access and Active Directory reconnaissance and data exfiltration. Read this article for more information.