Microsoft Patch Tuesday – November 2022

Microsoft patched 65 CVEs(Including OpenSSL released earlier in the month) in its November 2022 Patch Tuesday release, with 11 rated as critical, and 53 rated as important.  6 actively exploited Zeroday vulnerabilities also fixed

This month’s update includes patches for:

• .NET Framework
• AMD CPU Branch
• Azure
• Azure Real Time Operating System
• Linux Kernel
• Microsoft Dynamics
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Office Word
• Network Policy Server (NPS)
• Open Source Software
• Role: Windows Hyper-V
• SysInternals
• Visual Studio
• Windows Advanced Local Procedure Call
• Windows ALPC
• Windows Bind Filter Driver
• Windows BitLocker
• Windows CNG Key Isolation Service
• Windows Devices Human Interface
• Windows Digital Media
• Windows DWM Core Library
• Windows Extensible File Allocation
• Windows Group Policy Preference Client
• Windows HTTP.sys
• Windows Kerberos
• Windows Mark of the Web (MOTW)
• Windows Netlogon
• Windows Network Address Translation (NAT)
• Windows ODBC Driver
• Windows Overlay Filter
• Windows Point-to-Point Tunneling Protocol
• Windows Print Spooler Components
• Windows Resilient File System (ReFS)
• Windows Scripting
• Windows Win32K

Microsoft updated the advisory pages for CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell) indicating that patches are now available along with this month’s Security Updates.

Windows Scripting Languages Remote Code Execution Vulnerability

CVE-2022-41118 and CVE-2022-41128 are RCE vulnerabilities affecting the JScript9 and Chakra scripting languages. CVE-2022-41128 has a CVSSv3 score of 8.8 and only impacts the JScript9 scripting language. It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker-controlled server.

CVE-2022-41118 on the other hand, has a CVSSv3 score of 7.5 and has not been observed to be exploited. An attacker would need to convince a user to connect to a malicious server hosting a specially crafted website as well as win a race condition. Despite these barriers for exploitation, Microsoft still rated CVE-2022-41118 as Exploitation More Likely.

Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2022-41049 and CVE-2022-41091 are security feature bypass vulnerabilities affecting Windows Mark of the Web (MoTW). It is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW resulting in a limited loss of integrity and availability of security features such as Protected View.

CVE-2022-41091 has been exploited in the wild and for which exploit code is publicly available. CVE-2022-41049 on the other hand has not been exploited in the wild but is rated Exploitation More Likely. Both CVEs were given CVSSv3 scores of 5.4 and require user interaction, an attacker would need to entice a victim into opening the crafted file.

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41080 vulnerability has a CVSSv3.1 score of 8.8 and rated as Exploitation More Likely. The technical details are unknown, and an exploit is not publicly available. Applying a patch can eliminate this problem. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.

Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2022-41073 is an EoP vulnerability affecting the Windows Print Spooler service. The vulnerability carries a CVSSv3 score of 7.8 This flaw has been exploited in the wild, according to Microsoft, and could allow a low privileged user to gain SYSTEM level privileges.

The Windows Print Spooler service continues to gain interest from researchers and attackers alike since PrintNightmare (CVE-2021-34527) was disclosed in July of 2021. Since then, a slew of vulnerabilities has been reported including another EoP (CVE-2022-38028) in last month’s Patch Tuesday release.

Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

CVE-2022-41125 is an EoP vulnerability in the Windows Cryptography Next Generation (CNG) Key Isolation Service used for Windows cryptographic support and operations. With a CVSSv3 score of 7.8, successful exploitation would allow an attacker to gain SYSTEM privileges. While no additional details were provided in the advisory, this vulnerability has reportedly been exploited in the wild.

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

CVE-2022-37966 vulnerability has a CVSSv3.1 score of 8.1 and rated Exploitation more likely. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

CVE-2022-41044, cve-2022-41008 vulnerability has a CVSSv3.1 score of 8.1 and rated exploitation less likely. Successful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Open SSL X.509 certificate verification buffer overrun

This month Microsoft also released patches for a pair of recently disclosed vulnerabilities impacting OpenSSL, a widely used open-source library for cryptographic implementation of secure socket layer and transport layer security protocols. These updates are available for Azure SDK for C++, Microsoft Azure Kubernetes Service, and Vcpkg

Microsoft also released a Defense in Depth Update (ADV220003) for Microsoft Office and advisories attributed to AMD and GitHub We did not include these advisories in our overall Patch Tuesday counts.

Below is the full list of CVEs patched in this month