Microsoft released patches to fix 68 vulnerabilities on November 2022 Patch Tuesday, 11 of which are rated critical with the remainder rated important. This round of patches includes fixes for six zero-day vulnerabilities that are being actively exploited in real-world attacks.
Two of the zero-day flaws – CVE-2022-41082 (EoP – important) & CVE-2022-41040 (RCE – critical) – have been dubbed ProxyNotShell and affect Microsoft Exchange Server. The flaws can be combined to achieve remote code execution and have been actively exploited for several months by a state-sponsored hacking group. Researchers have linked the exploits to a Chinese threat actor.
Microsoft recently issued a warning that China is likely stockpiling zero-day flaws, following a 2021 law being passed in China that requires organizations to first report software vulnerabilities to local authorities before publicly disclosing them or alerting vendors. Microsoft explained in its 2022 Digital Defense Report that the number of reported vulnerabilities from China has decreased in the year since the new law was introduced. “The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” said Microsoft in the report.
The other four zero days are a Windows CNG Key Isolation Service elevation of privilege vulnerability – CVE-2022-41125; a Windows Print Spooler elevation of privilege vulnerability – CVE-2022-41073; a Windows Mark of the Web security feature bypass vulnerability – CVE-2022-41091; and a critical Windows Scripting Languages remote code execution vulnerability – CVE-2022-41128.
The remaining critical vulnerabilities are
- CVE-2022-39327 – Azure code injection vulnerability
- CVE-2022-41080 – Microsoft Exchange Server elevation of privilege vulnerability
- CVE-2022-38015 – Windows Hyper-V denial of service vulnerability
- CVE-2022-37967 – Windows Kerberos elevation of privilege vulnerability
- CVE-2022-37966 – Windows Kerberos RC4-HMAC elevation of privilege vulnerability
- CVE-2022-41044 – Windows Point-to-Point Tunneling Protocol remote code execution vulnerability
- CVE-2022-41039 – Windows Point-to-Point Tunneling Protocol remote code execution vulnerability
- CVE-2022-41088 – Windows Point-to-Point Tunneling Protocol remote code execution vulnerability
- CVE-2022-41118 – Windows Scripting remote code execution vulnerability
Prompt patching is strongly recommended, with priority given to the zero-days and critical vulnerabilities.