different types of patches

Update now: Microsoft’s November Patch Tuesday covers a lot of zero-days

Microsoft has patched six zero-day vulnerabilities in November’s Patch Tuesday. Eleven of the 68 vulnerabilities fixed in this month’s round of updates are considered critical.

Exchange

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. 

Two of the zero-day vulnerabilities Microsoft patched this month are actively exploited flaws in Exchange Server, including the so-called ProxyNotShell that was missed last month.

The Exchange Server “ProxyNotShell” vulnerabilities are CVE-2022-41040 and CVE-2022-41082. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Add four more vulnerabilities to the Exchange Server menu to be addressed this month. Three of them are rated as important, and CVE-2022-41080 is another privilege escalation vulnerability considered critical and more likely to be exploited.

Mark of the Web

Another zero-day vulnerability we covered is CVE-2022-41091, a Windows Mark of the Web (MOTW) security feature bypass vulnerability. The MOTW security feature is responsible for helpful warnings like:

This file came from another computer and might be blocked to help protect this computer.

A researcher found that a malformed file signature could cause the MOTW warnings to be skipped.

Windows Scripting

A new vulnerability that could have serious consequences if you don’t apply the patch is CVE-2022-41128 a Windows Scripting Languages RCE vulnerability. This vulnerability impacts the JScript9 scripting language which is Microsoft’s version of JavaScript.

An attacker would have to host a specially crafted server share or website and would have to convince potential victims to visit the server share or website. This bug is being exploited in the wild.

Print Spooler

And, oh joy, another Print Spooler vulnerability. Under CVE-2022-41073 we find Windows Print Spooler Elevation of Privilege (EoP) vulnerability. A successful exploitation of this vulnerability could provide an attacker with system privileges. This bug is being exploited in the wild.

Windows CNG Key Isolation Service

That leaves us with the sixth zero-day, CVE-2022-41125. A Windows CNG Key Isolation Service EoP vulnerability that would allow an attacker who successfully exploited this vulnerability to gain system privileges. This bug is also being exploited in the wild.

The CNG key isolation service provides key process isolation to private keys and associated cryptographic operations. The service stores and uses long-lived keys in a secure process.

Other vendors

As per usual, other vendor also released important updates:


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.