Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698)

It’s December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to deliver a variety of malware.

CVE-2022-44698

CVE-2022-44698 affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2.

“The vulnerability has low complexity. It uses the network vector, and requires no privilege escalation. However, it does need user interaction; attackers need to dupe a victim into visiting a malicious website through phishing emails or other forms of social engineering to exploit the security feature bypass,” Mike Walters, VP of Vulnerability and Threat Research at Action1, told Help Net Security.

“A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging – for example, ‘Protected View’ in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality.”

Other fixed vulnerabilities of note

CVE-2022-41076 is a PowerShell RCE that can be triggered by attackers that don’t have elevated privileges, but have to take additional actions prior to exploitation to prepare the target environment.

“An authenticated attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system,” Microsoft explained. Given that this scripting tool is often abused by attackers, everybody should prioritize this fix.

Trend Micro‘s Dustin Childs also singled out CVE-2022-44713, a spoofing vulnerability affecting Microsoft Outlook for Mac, as potentially very dangerous and ideal for phishers.

“This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled ‘Executive_Compensation.xlsx’. There aren’t many who wouldn’t open that file in that scenario,” he noted.

SharePoint admins should fix two RCEs (CVE-2022-44690 and CVE-2022-44693) that, luckily, require special permissions and pre-exploit authentication.

Maliciously used drivers signed by Microsoft

In late October, Microsoft has been alerted to the fact that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity related to (Cuba) ransomware attacks.

“In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,” Microsoft noted.

Microsoft’s investigation into the matter has revealed that several developer accounts for the Microsoft Partner Center were submitting malicious drivers in an attempt to get them signed by Microsoft, so they could terminate EDR agents on targeted endpoints.

“We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat,” the company said.

“Microsoft has released Windows Security Updates revoking the certificate for impacted files and suspended the partners’ seller accounts. Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.”

Users and admins are advised to install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date and enabled.

Following the release of these updates and the advisory, Mandiant, Sophos and SentinelOne published their research into this particular attack avenue.

“Several distinct malware families, associated with distinct threat actors, have been signed with this process,” Mandiant researchers said, noting that they “identified at least nine unique organization names associated with attestation signed malware.”