Microsoft fixes many zero-days under attack

November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities.

Fixes to prioritize

CVE-2022-41091 is a Windows zero-day vulnerability that allows attackers to bypass the Mark of the Web (MOTW) security feature. They can craft a malicious file triggering the flaw and deliver it either via a malicious or compromised website or via email or instant message.

“In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment,” Microsoft says, but it has nevertheless been successfully exploited by different attackers in the wild.

And, according to Beaumont, another MOTW bypass vulnerability (CVE-2022-41049) fixed this Patch Tuesday is being exploited in the wild – though Microsoft didn’t confirm it.

Then there’s CVE-2022-41128, a remote code execution flaw in Windows Scripting Languages.

“An attack would need to lure a user to either a specially crafted website or server share. In doing so, they would get their code to execute on an affected system at the level of the logged-on user,” commented Dustin Childs, with Trend Micro’s Zero Day Initiative.

“Microsoft provides no insight into how widespread this may be but considering it’s a browse-and-own type of scenario, I expect this will be a popular bug to include in exploit kits.”

Also under active exploitation: CVE-2022-41073, a Windows Print Spooler elevation of privilege (EoP) bug reported by Microsoft’s own threat intelligence analysts, and CVE-2022-41125, an EOP in the Windows CNG Key Isolation Service.

What else?

Obviously, the “ProxyNotShell” Microsoft Exchange Server flaws need to be patched as soon as possible due to in-the-wild exploitation, and the fact that Microsoft has stumbled with the provided mitigations.

“It’s been over a month since these flaws were disclosed. While the impact of ProxyNotShell is limited due to the authentication requirement, the fact that it has been exploited in the wild and that attackers are capable of obtaining valid credentials still make these important flaws to patch,” commented Satnam Narang, senior staff research engineer at Tenable.

Childs also noted that Microsoft has fixed four additional bugs in Exchange Server this month. “I have a strong premonition many Exchange administrators have a long weekend in front of them,” he added.

Finally, CVE-2022-38023 (an EoP flaw in Netlogon RPC) is not being exploited, but a fix for it should be implemented before Microsoft enforces the necessary updates in July 2023.

UPDATE (November 8, 2022, 17:05 a.m. ET):

This article has been amended to clear up potential confusion between the two fixed MOTW bypass flaws.