Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Replace

Microsoft has launched fixes for 48 new vulnerabilities throughout its merchandise, together with one which attackers are actively exploiting and one other that has been publicly disclosed however is just not below energetic exploit now.

Six of the vulnerabilities that the corporate patched in its closing month-to-month safety replace for the yr are listed as essential. It assigned an essential severity score to 43 vulnerabilities and gave three flaws a reasonable severity evaluation. 

Microsoft’s replace consists of patches for out-of-band CVEs it addressed over the previous month, plus 23 vulnerabilities in Google’s Chromium browser expertise, on which Microsoft’s Edge browser relies.

Actively Exploited Safety Bug

The flaw that attackers are actively exploiting (CVE-2022-44698) is just not among the many extra essential of the bugs for which Microsoft launched patches right now. The flaw provides attackers a solution to bypass the Home windows SmartScreen safety characteristic for safeguarding customers towards malicious information downloaded from the Web. 

“An attacker can craft a malicious file that might evade Mark of the Internet (MOTW) defenses, leading to a restricted lack of integrity and availability of security measures comparable to Protected View in Microsoft Workplace, which depend on MOTW tagging,” Microsoft mentioned.

CVE-2022-44698 presents solely a comparatively small danger for organizations, says Kevin Breen, director of cyber-threat analysis at Immersive Labs. “It must be utilized in partnership with an executable file or different malicious code like a doc or script file,” Breen says. “In these conditions, this CVE bypasses a few of Microsoft’s built-in fame scanning and detection — particularly SmartScreen, which might usually pop as much as inform a consumer the file might not be secure.” 

On the similar time, customers shouldn’t underestimate the risk and may patch the problem shortly, Breen recommends.

Microsoft described one other flaw — an elevation of privilege difficulty within the DirectX Graphics kernel — as a publicly recognized zero-day however not below energetic exploit. The corporate assessed the vulnerability (CVE-2022-44710) as being “Vital” in severity and one that might permit an attacker to achieve system-level privileges if exploited. Nevertheless, the corporate described the flaw as one which attackers are much less prone to exploit.

Vulnerabilities to Patch Now

Pattern Micro’s ZDI flagged three different vulnerabilities within the December Patch Tuesday safety replace as being important: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability permits an attacker to seem as a trusted consumer and trigger a sufferer to mistake an e-mail message as if it got here from a professional consumer. 

“We do not typically spotlight spoofing bugs, however anytime you are coping with a spoofing bug in an e-mail consumer, you must take discover,” ZDI’s head of risk consciousness Dustin Childs mentioned in a weblog submit. The vulnerability might show particularly troublesome when mixed with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he mentioned.

CVE-2022-41076 is a PowerShell distant code execution (RCE) vulnerability that enables an authenticated attacker to flee the PowerShell Remoting Session Configuration and run arbitrary instructions on an affected system, Microsoft mentioned. 

The corporate assessed the vulnerability as one thing that attackers are extra possible compromise, though assault complexity itself is excessive. In accordance with Childs, organizations ought to concentrate the vulnerability as a result of it’s the kind of flaw that attackers typically exploit when trying to “dwell off the land” after gaining preliminary entry on a community. 

“Undoubtedly don’t ignore this patch,” Childs wrote.

And at last, CVE-2022-44699 is one other safety bypass vulnerability — this time in Azure Community Watcher Agent — that, if exploited, might have an effect on a company’s means to seize logs wanted for incident response. 

“There may not be many enterprises counting on this instrument, however for these utilizing this [Azure Network Watcher] VM extension, this repair must be handled as essential and deployed shortly,’ Childs mentioned.

Researchers with Cisco Talos recognized three different vulnerabilities as essential and points that organizations want to deal with instantly. Certainly one of them is CVE-2022-41127, an RCE vulnerability that impacts Microsoft Dynamics NAV and on-premises variations of Microsoft Dynamics 365 Enterprise Central. A profitable exploit might permit an attacker to execute arbitrary code on servers working Microsoft’s Dynamics NAV ERP utility, Talos researchers mentioned in a weblog submit. 

The opposite two vulnerabilities that the seller considers to be of excessive significance are CVE-2022-44670 and CVE-2022-44676, each of that are RCE flaws within the Home windows Safe Socket Tunneling Protocol (SSTP). 

“Profitable exploitation of those vulnerabilities requires an attacker to win a race situation however might allow an attacker to remotely execute code on RAS servers,” in response to Microsoft’s advisory.

Among the many vulnerabilities that the SANS Web Storm Heart recognized as essential are (CVE-2022-41089), an RCE within the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a weblog submit, Mike Walters, vp of vulnerability and risk analysis at Action1 Corp., additionally pointed to a Home windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as one other difficulty to look at. 

“The newly resolved CVE-2022-44678 is almost definitely to be exploited, which might be true as a result of Microsoft mounted one other zero-day vulnerability associated to Print Spooler final month,” Walters mentioned. “The danger from CVE-2022-44678 is similar: an attacker can get SYSTEM privileges after profitable exploitation — however solely regionally.”

A Complicated Bug Depend

Curiously, a number of distributors had totally different takes on the variety of vulnerabilities that Microsoft patched this month. ZDI, as an illustration, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the quantity at 48, SANS at 74, and Action1 initially had Microsoft patching 74, earlier than revising it all the way down to 52.

Johannes Ullrich, dean of analysis for the SANS Know-how Institute, says the problem has to do with the alternative ways one can depend the vulnerabilities. Some, as an illustration, embody Chromium vulnerabilities of their depend whereas others don’t. 

Others, like SANS, additionally embody safety advisories that typically accompany Microsoft updates as vulnerabilities. Microsoft additionally typically releases patches in the course of the month, which it additionally consists of within the following Patch Tuesday replace, and a few researchers do not depend these. 

“The patch depend can typically be complicated, because the Patch Tuesday cycle is technically November to December, so this may even embody patches that have been launched out of band earlier within the month, and also can embody updates from third social gathering distributors,” Breen says. “Probably the most notable of those are patches from Google from Chromium, which is the bottom for Microsoft’s Edge browser.”
Breen says by his depend there are 74 vulnerabilities patched because the final Patch Tuesday in November. This consists of 51 from Microsoft and 23 from Google for the Edge browser. 

“If we exclude each the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities have been launched right now,” he says.

A Microsoft spokesman says the variety of new CVEs for which the corporate issued patches right now was 48.