This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday
- Windows Scripting Languages Remote Code Execution Vulnerability (CVE-2022-41128)
- Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2022-41091)
- Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-41073)
- ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)
- Third-party application vulnerabilities:
November Patch Tuesday brings us 68 fixed vulnerabilities from Microsoft. That’s less than October, but the number of critical updates is almost the same — 10 this month compared to 13 in October. This month brings us six fixed zero-days, one of which has working proof of concept and 5 others are being actively exploited in the wild. The Exchange ProxyNotShell bug was also fixed, at last! Here are details on the most interesting critical updates.
Windows Scripting Languages Remote Code Execution Vulnerability (CVE-2022-41128)
This new zero-day vulnerability that impacts the JScript9 scripting language was fixed by Microsoft. It has low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website. It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. The zero-day has pretty high CVSS risk score of 8.8, and Microsoft has confirmed that it being actively exploited in the wild. However, the proof of concept has not yet been publicly disclosed.
The mitigation is to install the update on all systems (after installing it in a test environment). Also, make sure your users have been trained to identify and report phishing attacks.
Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2022-41091)
This zero-day vulnerability is also being actively exploited in the wild — and a working proof of concept is available. As with the previous vulnerability, an attacker has to convince the user to take a certain action, such as clicking a malicious URL in a phishing email.
The Windows Mark of the Web (MoW) feature is meant to be applied to files downloaded from the internet, since users should get a security warning when accessing them. The vulnerability enables an adversary to disable these warnings, thereby dramatically increasing the chances that a user will execute a malicious file they’ve downloaded.
Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-41073)
Microsoft continues to patch minions of the PrintNightmare vulnerability. This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop. Microsoft reports that the latest iteration of PrintNightmare is already being exploited, which means we are facing another zero-day vulnerability. It affects all supported Windows operating systems.
One way to mitigate this vulnerability is to disable your print spooler — but then you will not be able to print anything from your system. Accordingly, it is better to install the latest patch from Microsoft, and then wait for next month and yet another new fix for PrintNightmare!
ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)
November Patch Tuesday also finally provides a fix for two heavily exploited Exchange Server vulnerabilities: CVE-2022-41040 (server-side request forgery issue that enables privilege escalation) and CVE-2022-41082 (RCE bug).
It took Microsoft more than two months to provide the patch, even though the company admitted that ProxyNotShell actively exploited the vulnerabilities in targeted attacks against at least 10 large organizations. During this period, Microsoft proposed some mitigation measures, which it revised in response to intense criticism. However, even the revised measures have not been a panacea, so it is good news that an official patch is available now. Installing it promptly is highly advisable.
Google announced a new version of Chrome 107 with fixes for 14 vulnerabilities, three of which are of high severity:
- CVE-2022-3653, a buffer overflow bug in the Vulkan hardware acceleration mechanism
- CVE-2022-3654, which is related to “use after free” in Layout
To exploit any of these flaws, a remote attacker needs to trick a user into accessing a specially crafted web page in a vulnerable browser.
Other fixed vulnerabilities include buffer overflow bugs in media galleries (CVE-2022-3655), insufficient data validation in the file system (CVE-2022-3656), inappropriate full-screen implementation (CVE-2022-3660), post-release usage errors in extensions (CVE-2022-3657), errors in Chrome OS feedback service (CVE-2022-3658), and “special features” (CVE-2022-3659).
Google also released an emergency update for Chrome 107 to fix an actively exploited zero-day vulnerability (CVE-2022-3723), which was reported on October 25. The bug is described as a type confusion issue that affects engines. This is the seventh zero-day in Chrome fixed by Google this year.
Firefox 106 fixed 8 vulnerabilities, two of which are marked as dangerous:
- CVE-2022-42927, same-origin constraint bypass that allows access to the redirect result
Three vulnerabilities grouped as CVE-2022-42932, which have a moderate risk level, are caused by memory handling issues, such as buffer overflows and accessing memory regions that have already been freed. These problems could lead to the execution of attacker code when opening specially crafted pages.
Oracle announced quarterly updates and released 370 updates that fix more than 50 critical vulnerabilities. More than 200 of them address flaws that can be exploited remotely without authentication.
The Oracle Communications enterprise product had the most new patches (74). 64 of the patched security flaws can be used remotely without authentication, and 19 are rated “critically serious.”
Fusion Middleware came in second with 56 new security fixes, including 43 that fix flaws that can be used remotely without authentication and 9 rated as “critical.”
37 flaws were fixed in MySQL (11 of which are remotely exploitable without authentication). Retail applications and Communications applications each received 27 fixes, and Financial Services applications received 24 fixes.
Oracle also released numerous patches for Siebel CRM, Supply Chain, JD Edwards, Virtualization, Java SE, PeopleSoft, Systems, and Database Server. Other software that received fixes includes Communications Data Model, GoldenGate, Secure Backup, Commerce, Construction and Engineering, E-Business Suite, Enterprise Manager, HealthCare Applications, Hospitality Applications, Hyperion, Insurance Applications, and Utilities Applications.
Oracle did not provide its own patches for the following products: Airlines Data Model, Big Data Graph, NoSQL Database, SQL Developer, and TimesTen In-Memory Database. However, the software giant released third-party patches for them.
Oracle regularly urges customers to install available patches as soon as possible, since it has repeatedly documented instances where attackers have succeeded because customers have not applied available patches in a timely manner.
A dangerous vulnerability (CVE-2022-28762) was discovered in the macOS version of the popular video conferencing service Zoom. It allows a potential attacker to connect to and control applications on a vulnerable system. Its CVSS score is 7.3. Zoom developers describe the issue as follows:
“The macOS version of the Zoom client (both standard and administrator) contains an incorrect configuration of the debug port. The bug affects versions 5.10.6 through 5.12.0. The local port opens when the context rendering mode, the Zoom Apps Layers API, is enabled. An attacker can use the debug port to connect and control applications in the Zoom client.”
We recommend that all Zoom users with vulnerable macOS versions install the patch promptly.
Cisco fixed a number of serious flaws in its identity, email, and web security applications. The most serious one affects the web management interface of the Cisco Identity Services Engine (ISE), a security policy management platform that provides secure network access for end users and devices. The bug is tracked as CVE-2022-20961 and has a CVSS score of 8.8. A remote attacker who is not authenticated and who convinces a user to click a malicious link could exploit the flaw to conduct a cross-site request forgery (CSRF) attack and then execute arbitrary commands on a vulnerable device with the privileges of the targeted user.
Another serious vulnerability, CVE-2022-20956 (CVSS score 7.1), is caused by improper access control in the same ISE web management interface. An attacker can exploit the flaw by sending specially crafted HTTP requests to vulnerable devices in order to list, download, and delete files that they should not have access to. According to Cisco PSIRT, there is already an experimental exploit code for this vulnerability on the network.
Cisco also fixed SQL Injection vulnerability CVE-2022-20867 and privilege escalation vulnerability CVE-2022-20868 in its ESA, Cisco Secure Email, and Web Manager Next Generation Management products.
In addition, we now have a patch for two Cisco AnyConnect for Windows vulnerabilities (CVE-2020-3433 and CVE-2020-3153) that are being exploited in the wild. These security flaws enable local attackers to perform DLL hijacking attacks and copy files to system directories with system-level privileges.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1 RMM, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
Get started today and use Action1 RMM on 100 endpoints free of charge with no functionality limitations.