Executive Summary

Microsoft’s November Patch Tuesday provides updates to address security issues across its product range, including several critical patches to address six actively exploited Zero-Day vulnerabilities, including the two Exchange vulnerabilities that were identified with mitigations supplied by Microsoft in October. The other Zero-Day vulnerabilities include a remote code execution vulnerability within Windows Scripting Languages, escalation of privilege vulnerabilities within the Windows Cryptography API: Next Generation (CNG) Key Isolation Service and the Windows Print Spooler, and a bypass for the Windows Mark-of-the-Web security feature. Security updates have also been released for all supported Microsoft client and server operating systems, and other products to tackle different issues.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows and supported versions Microsoft Exchange Server. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible, particularly as this release contains a patch for an actively exploited Zero-day.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The following is a breakdown of six actively exploited Zero-Day vulnerabilities with the affected Microsoft products:

CVE-2022-41040: A elevation of privilege vulnerability known as ProxyNotShell for Microsoft Exchange Servers with a CVSS 3.1 rating of 8.8, which allows a malicious attacker who has validated standard user credentials to escalate privileges and remotely execute code.

CVE-2022-41082: A elevation of privilege vulnerability known as ProxyNotShell for Microsoft Exchange Servers with a CVSS 3.1 rating of 8.8, which allows a malicious attacker who has validated standard user credentials to escalate privileges and remotely execute code.

Important: The patches released by Microsoft fix these vulnerabilities, and the previously recommended mitigations no longer apply once the patch has been installed, with the installation verified using the Exchange Server Health Checker as recommended by Microsoft Here: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045

CVE-2022-41128: A remote execution vulnerability within Windows Scripting Languages with a CVSS 3.1 rating of 8.8, which requires an end user to access a malicious server share or website, which would allow an attacker to remotely execute code on the affected endpoint. Delivery of this malicious server would typically be done through enticement within an email or chat message for the user to click the link or navigate to the server.

CVS-2022-41125: An elevation of privilege vulnerability within the Windows CNG Key Isolation service with a CVSS 3.1 rating of 7.8, which allows an attacker to gain SYSTEM privileges on the affected device.

CVS-2022-41073: An elevation of privilege vulnerability within the Windows Print Spooler service with a CVSS 3.1 rating of 7.8, which allows an attacker to gain SYSTEM privileges on the affected device.

CVS-2022-41091: A Security Feature Bypass vulnerability within the Windows Mark-of-the-Web Security Feature, with a CVS 3.1 rating of 5.4 that allows for an attacker to maliciously craft a file or website that would evade the Mark-of-the-Web defences. The end user would have to open the file or access the malicious website for this attack to be effective.

Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2022/11/08/microsoft-windows-security-updates-november-2022-overview/

Need help understanding your gaps, or just want some advice? Get in touch with us.