6 day zero patches are now available under active exploit from Microsoft

It’s the second Tuesday of the month, and that means it’s Update Tuesday, the monthly release of security patches available for almost all Microsoft-supported software. This time around, the software maker has identified six zero days under active exploitation in the wild, along with a wide range of other vulnerabilities that pose a threat to end users.

Two Zero Days are high-risk Exchange vulnerabilities that, when used together, allow hackers to execute malicious code on servers. These vulnerabilities are tracked as CVE-2022-41040 and CVE-2022-41082 came to light in September. At the time, researchers in Vietnam reported that they used to infect local Exchange servers with web shells, which are text interfaces that allow people to execute commands remotely.

A vulnerability known as ProxyNotShell affects on-premises Exchange servers. Shodan’s searches at the time when Zero Days became publicly known showed that nearly 220,000 servers were at risk. Microsoft said in early October that it was aware of only one threat agent exploiting the vulnerabilities and that the perpetrator targeted fewer than 10 organizations. The threat actor is fluent in simplified Chinese, which suggests that he has a connection to China.

The third zero-day is CVE-2022-41128, a critical Windows vulnerability that also allows a threat actor to remotely execute malicious code. The vulnerability, which operates when a vulnerable device accesses a malicious server, was discovered by Clément Lecigne of Google’s Threat Analysis Group. Since TAG tracks nation-state-backed hacking, the discovery likely means that government-backed hackers are behind the zero-day exploits.

Two more days are privilege escalation vulnerabilities, a class of security vulnerabilities that, when combined with a separate vulnerability or used by someone who already has limited system privileges on a device, raises system rights to those required to install code, access passwords, and control the device. As security in applications and operating systems has improved in the past decade, so-called EoP vulnerabilities have grown in importance.

CVE-2022-41073 affects Microsoft’s print spooler, while CVE-2022-41125 resides in the Windows CNG Key Isolation Service. EoP vulnerabilities were discovered by the Microsoft Security Threat Intelligence team.

The last zero fixed this month is also in Windows. CVE-2022-41091 allows hackers to create malicious files that bypass Mark of the Web defenses, which are designed to work with security features like Protected View in Microsoft Office. Will Dorman, Senior Vulnerability Analyst at security firm ANALYGENCE, Discover bypass technology in July.

In all, this month’s Tuesday update fixed a total of 68 vulnerabilities. Microsoft has given 11 of them a “Critical” severity rating, with the rest carrying a “Significant” rating. Patches are installed automatically in approximately 24 hours. Those who want to install updates immediately can go to Windows > Settings > Updates and Security > Windows Update. The complete rundown of Microsoft is over here.