Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update


Heres what you need to patch now, including six critical updates for Microsofts final Patch Tuesday of the year.



Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.
Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 
Microsofts update
includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Googles Chromium browser technology, on which Microsofts Edge browser is based.
The flaw that attackers are actively exploiting (
CVE-2022-44698
) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 
An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging, Microsoft said.
CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. It has to be used in partnership with an executable file or other malicious code like a document or script file, Breen says. In these situations, this CVE bypasses some of Microsofts built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe. 
At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.
Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (
CVE-2022-44710
) as being Important in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.
Trend Micros ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant:
CVE-2022-44713
,
CVE-2022-41076
, and
CVE-2022-44699
.
CVE-2022-44713
is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 
We dont often highlight spoofing bugs, but anytime youre dealing with a spoofing bug in an email client, you should take notice, ZDIs head of threat awareness Dustin Childs
said in a blog post
. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.
CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 
The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to live off the land after gaining initial access on a network. 
Definitely don’t ignore this patch, Childs wrote.
And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organizations ability to capture logs needed for incident response. 
There might not be many enterprises relying on this tool, but for those using this [Azure Network Watcher] VM extension, this fix should be treated as critical and deployed quickly, Childs said.
Researchers with Cisco Talos
identified three other vulnerabilities
as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsofts Dynamics NAV ERP application, Talos researchers said in a blog post. 
The other two vulnerabilities that the vendor considers to be of high importance are
CVE-2022-44670
and
CVE-2022-44676
, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 
Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers, according to Microsofts advisory.
Among the vulnerabilities that the
SANS Internet Storm Center
identified as important are (
CVE-2022-41089
), an RCE in the .NET Framework, and (
CVE-2022-44690
) in Microsoft SharePoint Server.
In a
blog post
, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (
CVE-2022-44678
), as
another issue
to watch. 
The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month, Walters said. The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally.
Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.
Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 
Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers dont count these. 
The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors, Breen says. The most notable of these are patches from Google from Chromium, which is the base for Microsofts Edge browser.
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 
If we exclude both the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities were released today, he says.
A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update