Microsoft released a relatively low number of security updates on Patch Tuesday yesterday, but six of the CVEs are being actively exploited in the wild.
Among these are the so-called “ProxyNotShell” bugs in Microsoft Exchange Server first revealed in September. Elevation of privilege vulnerability CVE-2022-41040 and remote code execution (RCE) bug CVE-2022-41082 are being exploited by Chinese threat actors, according to Automox senior product manager, Preetham Gurram.
“We recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid exchange servers where temporary mitigation has not been applied,” he said.
The other zero-days ready for patching this month include critical RCE vulnerability CVE-2022-41128, which impacts the JScript9 scripting language, and CVE-2022-41073, which affects Windows Print Spooler.
CVE-2022-41125 is a privilege escalation vulnerability affecting the Windows Next-Generation Cryptography (CNG) Key Isolation service, while CVE-2022-41091 is described as a Windows Mark of the Web (MotW) security feature bypass vulnerability and was widely publicized in October.
The work for Exchange Server customers doesn’t end with patching the ProxyNotShell CVEs, according to Rapid7 lead product manager, Greg Wiseman.
“Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as important, and CVE-2022-41080 is another privilege escalation vulnerability considered critical,” he explained.
“Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.”
Microsoft also released a non-CVE security advisory this month; its third of the year.
ADV220003 is a “defense-in-depth” update for Microsoft Office 2013 and 2016.
According to Wiseman, it “improves validation of documents protected via Microsoft’s Information Rights Management (IRM) technology – a feature of somewhat dubious value.”
Microsoft fixed a total of 68 vulnerabilities this month, including 11 rated critical.