Patch Tuesday November’s Patch Tuesday also falls on election day in the US, so let’s hope that democracy fares better than Microsoft, which reported six of today’s bugs are already being exploited in the wild by miscreants.
Another 22 vulnerabilities in the Windows giant’s products have been labeled “more likely to be exploited” than not. Also, shockingly, Adobe skipped the monthly patch party. “Heads-up that Adobe does not have regularly scheduled updates planned for today,” a spokesperson told The Register.
Back to Microsoft: Redmond rated 11 vulnerabilities in its code as critical CVE-listed holes with the rest deemed important. It also appears to have finally fixed (fingers crossed) the two Exchange Server bugs dubbed ProxyNotShell that have been exploited as far back as August.
Let’s start with the two long-awaited Exchange fixes. CVE-2022-41028 is a remote code execution (RCE) vulnerability and CVE-2022-41040 is a server-side request forgery bug. Both can be exploited together to run PowerShell commands on a vulnerable system and take control of it.
Since late September, Redmond has issued several mitigation updates, though all of these temporary fixes have been bypassed by security researchers. Let’s hope the November plugs do the trick.
CVE-2022-41128, another RCE bug in the JScript9 scripting language engine, has also been exploited by miscreants, according to Microsoft, so we’d suggest patching this one next.
To exploit it, an attacker would need to trick a user running an unpatched version of Windows into visiting a specially crafted server share or website, probably using a phishing link or download. At that point, the attacker can run arbitrary code on the affected system with the user’s level of privileges.
“Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits,” Zero Day Initiative’s Dustin Childs noted.
Another now-patched bug listed under active exploit, CVE-2022-41091, is a Windows Mark of the Web (MotW) bypass vulnerability. This fix seems to address at least one of the MotW flaws we’ve previously highlighted, which have been abused in the wild.
MotW is supposed to identify a file as being sourced from the internet, so when a user opens it, extra security defenses trigger, such as a warning to the user.
But there are ways around it, allowing malicious stuff that should be caught by Microsoft’s defenses to carry on as if it’s all above board. Indeed, exploiting CVE-2022-41091 involves tricking a victim into opening “a malicious file that would evade Mark of the Web defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,” Redmond explained.
Vulnerability guru Will Dormann has been tweeting about this type of flaw since July, and today went into more detail about this particular vulnerability and how it could be abused. Ted teamer Kuba Gretzky also published an in-depth analysis of the bug; it’s a good idea to patch ASAP.
Finally, CVE-2022-41073, a Windows print spooler elevation of privilege bug, and CVE-2022-41125, a Windows CNG key isolation service elevation of privilege vulnerability, round out the last of the Microsoft flaws being exploited in the wild.
If the print spooler bug sounds familiar, it should — remember PrintNightmare?
“The print spooler has been a popular target for vulnerabilities in the last 12 months, with this marking the ninth patch,” Kev Bream, Immersive Labs’ director of cyber threat research told The Register. Successful exploit of CVE-2022-41125 could give an attacker SYSTEM privileges.
“These kinds of privilege escalation vulnerabilities are almost always seen as a follow up to an initial compromise where threat actors will next seek to gain SYSTEM or Domain level access,” Bream added. “This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like mimikatz that can allow attackers to move laterally across a network.”
SAP
SAP released nine new patches and two updates to earlier fixes, including three Hot News (aka critical priority) notes.
The worst of the bunch is a 9.9-rated critical vulnerability in SAP BusinessObjects tracked as CVE-2022-41203, which can lead to full compromise of the affected systems, so we’d suggested giving this one top priority.
“The only reason why this vulnerability is not tagged with the maximum CVSS score of 10 is because it requires the attacker to have a minimum set of privileges in order to exploit it,” Onapsis’ security researcher Thomas Fritsch wrote.
A second Hot News note fixes two vulnerabilities, CVE-2021-20223 and CVE-2022-35737, with former being the more critical one with a 9.8 CVSS score.
“This vulnerability enabled a remote attacker with minimal privileges to exploit the fact that SQLite treated NULL characters as tokens,” Fritsch explained. “This had the potential for considerable impact on confidentiality, integrity, and availability of all applications using SAPUI5.”
The final Hot News note fixes CVE-2022-41204, an account hijacking vulnerability in SAP Commerce that received a 9.6 CVSS score. It was originally released last month, so if you patched it then you don’t need to take any action related to the updated note.
Intel and AMD
Intel, which hasn’t released any security updates since August, joined in November’s patchapalooza with 24 security advisories addressing 57 CVEs.
The most serious bugs of the bunch exist in some Intel NUC BIOS firmware, and may allow of escalation of privilege or denial of service. There’s 13 in total, and 12 of them are ranked high severity, with CVSS scores between 8.2 and 7.0 out of 10 in severity. Lucky No. 13 is considered medium, with a 5.2 CVSS score.
AMD, meanwhile, issued a Spectre-related fix (severity medium), closed holes in its graphics drivers (severity high and medium), squashed crash bugs in its profiling tools, and patched its Android app for streaming video to devices.
Google Android
Google this week announced it fixed multiple vulnerabilities in its Android OS, none of which have been exploited in the wild — at least not that it knows of.
The most severe of these flaws was in the Framework component and could lead to local escalation of privilege with no additional execution privileges needed.
“Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights,” according to a Center for Internet Security advisory.
Citrix
Citrix disclosed three bugs in the Citrix Gateway and Citrix ADC. One of these, tracked as CVE-2022-27510, is a critical authentication bypass flaw.
“Note that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the [CVE-2022-27510] issue, which is rated as a critical severity vulnerability,” according to the advisory.
It is understood this critical flaw can be exploited by an unauthenticated user to run published apps as a logged in, authenticated user.
Apple
And finally Apple released Xcode 14.1 with several security updates for macOS Monterey 12.5 and later. ®