Login
Let’s face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we’ve patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November’s patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Probably the scariest of the zero-day flaws is CVE-2022-41128, a “critical” weakness in the Windows scripting languages that could be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness. Microsoft credits Google with reporting the vulnerability, which earned a CVSS score of 8.8.
CVE-2022-41073 is a zero-day flaw in the Windows Print Spooler, a Windows component that Microsoft has patched mightily over the past year. Kevin Breen, director of cyber threat research at Immersive Labs, noted that the print spooler has been a popular target for vulnerabilities in the last 12 months, with this marking the 9th patch.
The third zero-day Microsoft patched this month is CVE-2022-41125, which is an “elevation of privilege” vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service, a service for isolating private keys. Satnam Narang, senior staff research engineer at Tenable, said exploitation of this vulnerability could grant an attacker SYSTEM privileges.
The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.
The other two zero-day bugs Microsoft patched this month were for vulnerabilities being exploited in Exchange Server. News that these two Exchange flaws were being exploited in the wild surfaced in late September 2022, and many were surprised when Microsoft let October’s Patch Tuesday sail by without issuing official patches for them (the company instead issued mitigation instructions that it was forced to revise multiple times). Today’s patch batch addresses both issues.
Greg Wiseman, product manager at Rapid7, said the Exchange flaw CVE-2022-41040 is a “critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
“Both vulnerabilities have been exploited in the wild,” Wiseman said. “Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.”
Adobe usually issues security updates for its products on Patch Tuesday, but it did not this month. For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.
Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”
GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.
In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.
Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.
Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.
Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.
In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.
If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.
FreshRSS 