Microsoft’s latest round of monthly security updates was released with fixes for 68 vulnerabilities covering its software baggage, including six 0-day patches that could be exploited for intrusions, something similar had been seen before.

12 issues are rated critical, two are rated high, and 55 are rated major by severity. This also includes the weaknesses that have been eliminated from OpenSSL last week.

Besides, it had been dealt with earlier this month separately an actively exploited programming flaw of Chromium-based browsers (CVE-2022-3723) which was included by Google as part of an out-of-band update late last month (as Edge is also based on Chromium for the uninitiated).

What do the experts tell us about what’s new in this Windows update?

“The big news is that two old 0-day CVEs affecting Exchange Server, made public at the end of September, have finally been resolved“Said Greg Wiseman, Rapid7 product manager.

Wiseman later added: “Customers are advised to upgrade their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. Mitigation rules are no longer recommended once systems have been updated“.

Here are the bugs fixed by the update

The list of actively exploited vulnerabilities, which allow intruding with administrator privileges with the aggravating circumstance of remote code execution, is as follows:

CVE-2022-41040 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (also known as ProxyNotShell);

CVE-2022-41082 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (i.e. ProxyNotShell, as above);

CVE-2022-41128 (CVSS Score: 8.8) – Windows Scripting Languages ​​Remote Code Execution Vulnerability;

CVE-2022-41125 (CVSS score: 7.8) – Increase in privileges vulnerabilities from administrators of the Windows CNG key isolation service;

CVE-2022-41073 (CVSS score: 7.8) – Vulnerability that allowed Windows print spooler administrator privileges;

CVE-2022-41091 (CVSS Score: 5.4) – Web Security Feature Bypass Vulnerability of Windows Mark of the Web.

To Messrs Benoît Sevens and Clément Lecigne del Threat Analysis Group Google’s (TAG) has been credited with reporting CVE-2022-41128, which resides in the JScript9 component and occurs when a victim is tricked into visiting a specially crafted website, all corrected thanks to this update.

CVE-2022-41091 is one of two Windows Mark of the Web (MoTW) security bypass flaws that have emerged in recent months and was recently discovered as a weapon by the creator of the Magniber ransomware to target users with fake software updates.

“An attacker can create a malicious file that could evade Mark of the Web (MotW) defenses, resulting in limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW taggingMicrosoft said in a notice.

The second MotW flaw to be fixed is CVE-2022-41049 (Also known as ZippyReads), reported by Analygence security researcher Will Dormann, refers to the inability to set the Mark of the Web flag to archive the extracted files (essentially: inability to save the files).

It is likely that the two privilege escalation flaws in Print Spooler and CNG Key Isolation Service are abused by attackers (hackers) as a result of an initial compromise and gain SISTEMA privileges, said Kev Breen, director of cyberthreat research at Immersive Labs.

There is more to know about this update, “this higher level of access [praticamente amministratore] is required to disable or tamper with security monitoring tools before performing credential attacks with tools, such as Mimikatz, which can allow attackers to move sideways across a network“Added Breen.

Four other critical vulnerabilities in the November patch that are worth highlighting are elevation of privilege (administrator) flaws in Windows Kerberos (CVE-2022-37967), Kerberos RC4-HMAC (CVE-2022-37966) and Microsoft Exchange Server (CVE-2022-41080) and a denial of service defect affecting Windows Hyper-V (CVE-2022-38015).

The list of critical defect fixes is accompanied by four remote code execution vulnerabilities in the protocol PPTP (Point-to-Point Tunneling Protocol), all with CVSS scores of 8.1 (CVE-2022-41039, CVE-2022-41088 And CVE- 2022-41044) and another of the Windows scripting languages ​​JScript9 and Chakra (CVE-2022-41118).

In addition to these issues, the Patch Tuesday update also addresses a number of remote code execution errors in Microsoft Excel, Word, ODBC drivers, Office Graphics, SharePoint Server, and Visual Studio, as well as a number of file escalation bugs. privileges in Win32k, Overlay Filter and Group Policy.

Programs and tools that in addition to Microsoft that have “adapted” to this Windows update

