Microsoft resolved two lingering Exchange Server vulnerabilities, but administrators will have several Windows zero-days to contend with this month.
In total, Microsoft addressed 81 CVEs for November Patch Tuesday, with 16 vulnerabilities coming from previous months that were either re-released or updated to include new information. Ten CVEs were rated critical. There were two publicly disclosed vulnerabilities, one of which was also under active exploit.
Two Exchange Server zero-days from September get patches
Last month, Microsoft issued advice for Exchange admins to thwart attacks originating from two zero-days (CVE-2022-41040 and CVE-2022-41082) on the on-premises email platform that the company disclosed on Sept. 29. On November Patch Tuesday, Microsoft released security updates that it recommends administrators apply as soon as possible.
“Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks,” Microsoft’s Exchange team wrote in its blog.
The pair of vulnerabilities, dubbed ProxyNotShell by a security researcher, affected Microsoft Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. Microsoft stipulated that earlier mitigation efforts were temporary and admins should deploy the November 2022 security updates for Exchange Server as soon as possible.
Microsoft patches four Windows zero-days
In addition to the Exchange zero-days, Microsoft resolved four actively exploited vulnerabilities affecting the Windows OS.
A Windows Cryptography Next Generation (CNG) Key Isolation Service elevation-of-privilege vulnerability (CVE-2022-41125), rated important, affects Windows 8.1, Windows Server 2012, and later editions of the Windows OS. Microsoft noted that a successful exploit of the bug could gain system privileges to hand over complete ownership of the OS to the attacker.
“System level means you’re at the base level of the OS. You get additional capabilities that even an admin doesn’t directly have. The attacker may be able to manipulate things like services,” said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company.
A Windows Print Spooler elevation-of-privilege vulnerability (CVE-2022-41073) rated important affects all supported Windows OSes. The fallout from the 2021 PrintNightmare situation placed restrictions on Windows print drivers, which means any Microsoft patch for the print spooler requires closer scrutiny from the IT staff. But when Patch Tuesday involves several actively exploited vulnerabilities, administrators will want to get immediate feedback from their testing groups.
“It’s best to get those test groups rolling quickly and maybe even reach out to them directly and validate their systems are functioning properly to push this OS update out faster this month,” said Goettl.
A Windows Mark of the Web security-feature bypass vulnerability (CVE-2022-41091), rated important, refers to a security feature in the OS that puts a security-risk tag on Microsoft Office files with macros downloaded from the internet until the user marks it as trusted. This flaw is also publicly disclosed.
Another Mark of the Web vulnerability (CVE-2022-41049) has the same severity rating and CVSS number of 5.4 but is not actively exploited. While relatively innocuous, these vulnerabilities prove valuable to a threat actor who understands how to build a coordinated attack with several bugs.
“Now I own your box, and then I’m going to start to do things like move laterally throughout your environment and set up shop,” Goettl said.
The last zero-day is a Windows Scripting Languages remote-code execution vulnerability (CVE-2022-41128), rated critical, which has the highest CVSS rating this month at 8.8. It’s the most likely to be exploited. This bug affects the JScript9 scripting language in all supported Windows OS versions.
Other security updates of note for November Patch Tuesday
The other publicly disclosed vulnerability (CVE-2022-37972) is a Microsoft Endpoint Configuration Manager spoofing vulnerability. Initially published on Sept. 20, Microsoft made an informational change by updating the CVSS score for the affected products.
“Environments using versions of Configuration Manager current branch prior to [version] 2103 are encouraged to update to a later supported version. Administrators can also disable use of automatic and manual client push installation methods to remove the risk of exposure to this issue,” Microsoft wrote in its CVE notes.
Windows domain controllers will require extra attention this month. In addition to applying a patch for a Windows Kerberos elevation-of-privilege vulnerability (CVE-2022-37967), rated critical, administrators should follow the guidance in knowledge base article KB5020805 to plan for the phased rollout of Kerberos protocol changes. Admins need to test systems before the July 2023 deadline puts domain controllers into an Enforcement mode that will block connections from non-compliant devices.
Similarly, knowledge base article KB5021130 — which refers to the Netlogon RPC elevation-of-privilege vulnerability (CVE-2022-38023) — details the deployment schedule for Netlogon protocol changes. In April 2023, Enforcement mode on Windows domain controllers will block vulnerable connections from non-compliant devices.