It’s the second Tuesday of the month, and that means it’s Update Tuesday, the monthly release of security patches available for nearly all software Microsoft supports. This time around, the software maker has fixed six zero-days under active exploit in the wild, along with a wide range of other vulnerabilities that pose a threat to end users.
Two of the zero-days are high-severity vulnerabilities in Exchange that, when used together, allow hackers to execute malicious code on servers. Tracked as CVE-2022-41040 and CVE-2022-41082, these vulnerabilities came to light in September. At the time, researchers in Vietnam reported they had been used to infect on-premises Exchange servers with web shells, the text-based interfaces that allow people to remotely execute commands.
Better known as ProxyNotShell, the vulnerabilities affect on-premises Exchange servers. Shodan searches at the time the zero-days became publicly known showed roughly 220,000 servers were vulnerable. Microsoft said in early October that it was aware of only a single threat actor exploiting the vulnerabilities and that the actor had targeted fewer than 10 organizations. The threat actor is fluent in Simplified Chinese, suggesting it has a nexus to China.
A third zero-day is CVE-2022-41128, a critical Windows vulnerability that also allows a threat actor to execute malicious code remotely. The vulnerability, which works when a vulnerable device accesses a malicious server, was discovered by Clément Lecigne of Google’s Threat Analysis Group. Because TAG tracks hacking backed by nation-states, the discovery likely means that government-backed hackers are behind the zero-day exploits.
Two more zero-days are escalation-of-privilege vulnerabilities, a class of vulnerability that, when paired with a separate vulnerability or used by someone who already has limited system privileges on a device, elevates system rights to those needed to install code, access passwords, and take control of a device. As security in applications and operating systems has improved in the past decade, so-called EoP vulnerabilities have grown in importance.
CVE-2022-41073 affects the Microsoft print spooler, while CVE-2022-41125 resides in the Windows CNG Key Isolation Service. Both EoP vulnerabilities were discovered by the Microsoft Security Threat Intelligence team.
The last zero-day fixed this month is also in Windows. CVE-2022-41091 allows hackers to create malicious files that evade Mark of the Web defenses, which are designed to work with security features such as Protected View in Microsoft Office. Will Dormann, a senior vulnerability analyst at security firm ANALYGENCE, discovered the bypass technique in July.
In all, this month’s Update Tuesday fixed a total of 68 vulnerabilities. Microsoft gave a “critical” severity rating to 11 of them, with the remainder carrying the rating “important.” Patches generally install automatically within about 24 hours. Those who want to install updates immediately can go to Windows > Settings > Updates and Security > Windows Update. Microsoft’s full rundown is here.