Patch Tuesday for November 2022
A relatively uneventful Patch Tuesday this November, the only unusual feature being a somewhat larger proportion of vulnerabilities flagged as being exploited in the wild. However, none of those are flagged as critical, meaning they either require pre-existent access to a system or heavy user interaction, i.e. the attacker would have to entice users to take some actions to launch the attack.
What's notable is perhaps the absence of some long overdue fixes: the actively exploited zero-days in MS Exchange (CVE-2022-41040 and CVE-2022-41082, aka ProxyNotShell) are still unpatched. MS Exchange admins will have to rely on mitigations and various manual interventions for the foreseeable future, perhaps a subtle hint from Microsoft it's time to move to SaaS.
Notable fixes include:
CVE-2022-41128, Windows Scripting Languages Remote Code Execution Vulnerability, apparently exploited in the wild. This issue affects JScript9 which is present in all Windows versions. An attacker would have to entice a user to visit a malicious website to get code to execute on an affected system at the level of the logged-on user. This one has the potential to make it into exploit kits, but it's not clear how easy it is to exploit.
CVE-2022-41091, Windows Mark of the Web Security Feature Bypass Vulnerability: Mark of the Web (MOTW) is a useful security mechanism in Windows that applies a tag to files that originate from the internet. MOTW has been successful in suppressing some attack techniques using email attachments (notably macro documents). Of course, MOTW is not infallible, and attackers were finding alternatives to bypass the security mechanism. This latest vulnerability offers some additional space for attackers to exploit this attack vector, so it's no wonder it was reportedly being exploited since October. That being said, the vulnerability still requires the attacker to convince a user to take action, not much different from other attachment or drive-by download attack techniques.
Two more vulnerabilities have been marked as exploited in the wild: CVE-2022-41073 and CVE-2022-41125. Both are elevation of privilege vulnerabilities and so would require pre-existent access to a system to get exploited.
Happy patching. More info here.
