Patch Tuesday – November 2022

Today is once again Patch Tuesday, the second Tuesday of the month when Microsoft and other vendors push out security updates to their products. This month, Microsoft has released 63 security updates for their products. Of the 63 released by Microsoft, 8 are rated with a severity of Critical, and 54 as Important. One of the Important vulnerabilities has already been publicly disclosed and four have been observed being exploited in the wild, also known as zero-day vulnerabilities. Of the eight Critical vulnerabilities patched this month, three are for Elevation of Privileges (two for Kerberos and one for Exchange), four are all Remote Code Execution (RCE) vulnerabilities (three for the Windows Point-to-Point Tunneling protocol and one that effects the Jscript scripting language), and the last is Denial-of-Service (DoS) in Windows Hyper-V.

The four vulnerabilities previously exploited in the wild include CVE-2022-41073, CVE-2022-41091, CVE-2022-41125, and CVE-2022-41128.

CVE-2022-41073 is a privilege escalation vulnerability in the Windows Print Spooler. An attacker who already has access to a system can use this vulnerability to gain SYSTEM privileges on the target. This is the latest in a long list of vulnerabilities targeting the Windows Print Spooler starting last summer with Print Nightmare (CVE-2021-34527).

CVE-2022-41125 is a privilege escalation vulnerability in the Windows CNG Key Isolation Service. The Windows CNG Key Isolation Service is a service in windows that securely stores and uses long-lived keys that are used by the Winlogon service to authenticate users. For Example, this service may store a wireless network key. If successfully exploited, this vulnerability can be used by an attacker to gain SYSTEM level privileges on a target system.

Microsoft describes CVE-2022-41128 and CVE-2022-41118 as “Windows Scripting Languages Remote Code Execution” vulnerabilities. These effect the scripting engine that handles processing the Jscript scripting language. Exploiting this vulnerability requires an attack to have a malicious server in place hosting malicious Jscript and convincing a user to access the malicious URL.

In February, Microsoft announced a new security feature in Microsoft Office that disables the ability to run macros on files downloaded from the Internet. This feature uses another feature built into Windows known as the Mark of the Web (MoTW). The MoTW is a file attribute automatically set for each file downloaded from the Internet. For years, threat actors have used malicious VBA macros embedded in Office documents as a means for initial access via phishing campaigns. The update to Office made earlier this year requires a user remove the MoTW if they wish to run macros, rather than simply clicking on “Enable Content” after the file is opened which was the previous behavior. We quickly saw threat actors looking for methods of bypassing this feature using file formats that allow you to package other files inside such as ZIP or ISO files, such as the Parcel RAT sample we examined earlier this year. Microsoft released info on and patched two CVEs relevant to these MoTW bypasses, CVE-2022-41091 and CVE-2022-41049. These patches should force Windows to preserve the MoTW attribute on files extracted from packaged files when it wasn’t being preserved before.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.