Microsoft has released fixes for six vulnerabilities that are under active exploit, as part of its November regularly scheduled security updates. Microsoft on Tuesday provided limited details about the exploitation efforts against these flaws.
The updates include fixes for a previously undisclosed, critical-severity remote code execution Windows flaw (CVE-2022-41128) that specifically impacts the JScript9 scripting language. The flaw, which was discovered by Clément Lecigne of Google’s Threat Analysis Group, is remotely exploitable and has a low attack complexity, according to Microsoft. However, user interaction is required to carry out an attack: In order to exploit the flaw, a targeted user with an affected version of Windows would first need to access a malicious server.
“An attacker would have to host a specially crafted server share or website,” according to Microsoft. “An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.”
Another previously undisclosed important-severity elevation-of-privilege zero-day flaw (CVE-2022-41125), found by Microsoft’s internal team, exists in the Windows CNG Key Isolation Service, which is a process used to securely store cryptographic information. Microsoft said that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
“[An attacker] would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit,” said Dustin Childs, with Trend Micro's Zero Day Initiative, in a Tuesday analysis. “As with all the other in-the-wild exploits, there’s no indication of how widely this is being used, but it’s likely somewhat targeted at this point. Still, test and deploy the updates quickly.”
Finally, a previously undisclosed important-severity elevation-of-privilege flaw (CVE-2022-41073) was found in Windows Print Spooler, Microsoft’s software that stores print jobs in the device's memory until the printer is ready to print. The flaw, which was also found internally by Microsoft’s team, could be exploited by an attacker to gain SYSTEM privileges. While details around these flaws remain scant, Microsoft said that in order to exploit both CVE-2022-41125 and CVE-2022-41073 the attack vector would need to be local, meaning that the vulnerable component is not bound to the network stack and that an attacker would need to either access the target system locally or rely on user interaction.
Microsoft additionally issued patches for a publicly disclosed, important-severity Windows Mark of the Web (MOTW) security feature bypass (CVE-2022-41091), which could allow an attacker to craft a malicious file that would evade MOTW defenses. This could result in a “a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” according to Microsoft.
Also fixed were two known and exploited Exchange vulnerabilities, more than a month after the flaws initially emerged publicly Sept. 29. The two flaws, an elevation of privilege vulnerability (CVE-2022-41040) and remote code execution bug (CVE-2022-41082), have been exploited by attackers in “limited, targeted attacks,” Microsoft has confirmed. While Microsoft had outlined mitigations for the bugs, an official patch was not released during its previous regularly scheduled October security release.
Microsoft’s newly disclosed zero-day flaws come as a recent report from the tech giant last week shed light on how nation-state actors - in China in particular - are getting quicker at exploiting unpatched flaws. According to Microsoft, it takes 14 days for an exploit to become available in the wild after a flaw has been publicly disclosed.
“The number of publicly disclosed zero-day vulnerabilities over the past year is on par with those from the previous year, which was the highest on record,” according to Microsoft in its report. “As cyber threat actors—both nation state and criminal—become more adept at leveraging these vulnerabilities, we have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability.”