{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-079.pdf"
    },
    "title": "Exploited 0-days and Critical Vulnerabilities in Microsoft Windows",
    "serial_number": "2022-079",
    "publish_date": "09-11-2022 11:30:00",
    "description": "On November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing. It is highly recommended applying the fixes as soon as possible.",
    "url_title": "2022-079",
    "content_markdown": "---\ntitle: 'Exploited 0-days and Critical Vulnerabilities in\u00a0Microsoft\u00a0Windows'\nversion: '1.0'\nnumber: '2022-079'\noriginal_date: 'November 8, 2022'\ndate: 'November 9, 2022'\n---\n\n_History:_\n\n* _09/11/2022 --- v1.0 -- Initial publication_\n  \n# Summary\n\nOn November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities [1]. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing [2].\n\nIt is highly recommended applying the fixes as soon as possible.\n\n\n# Technical Details\n\nThis month's Patch Tuesday fixes six actively exploited zero-day vulnerabilities (publicly disclosed or actively exploited with no official fix available), with one being publicly disclosed:\n\n* `CVE-2022-41128` is a Remote Code Execution vulnerability in the JScript9 Scripting Language. This could be exploited by convincing a user to visit a specially crafted server share or website (usually using phishing techniques).\n\n* `CVE-2022-41091` is a Security Feature Bypassing vulnerability. An attacker could craft a malicious file that will evade Mark of the Web (MOTW) defences resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging [3].\n\n* `CVE-2022-41073` is an Elevation of Privilege Vulnerability, which could allow an attacker to gain **SYSTEM** privileges by exploiting a flaw in the Windows Print Spooler.\n\n* `CVE-2022-41125` is an Elevation of Privilege Vulnerability, which could allow an attacker to gain **SYSTEM** privileges by exploiting a flaw in the Windows CNG Key Isolation Service.\n\n* `CVE-2022-41040` is an Elevation of Privilege Vulnerability in Microsoft Exchange Server (`ProxyNotShell`), that could allow an attacker to run PowerShell in the context of the **SYSTEM**.\n\n* `CVE-2022-41082` is a Remote Code Execution Vulnerability in Microsoft Exchange Server (`ProxyNotShell`). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.\n\n\n# Affected Products\n\n* Microsoft Windows Server from version 2008 R2, to version 2022 are affected.\n* Microsoft Windows Desktop from version Windows 7, to version Windows 11 are affected.\n* Microsoft Exchange Server 2013 Cumulative Update 23 is affected [4]\n* Microsoft Exchange Server 2016 Cumulative Updates 22 and 23 are affected [4]\n* Microsoft Exchange Server 2019 Cumulative Updates 11 and 12 are affected [4]\n\n# Recommendations\n\nCERT-EU recommends applying the available fixes as soon as possible. \n\n# References\n\n[1] <https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/November-2022.html>\n\n[2] <https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/>\n\n[3] <https://twitter.com/wdormann/status/1544416883419619333>\n\n[4] <https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d>",
    "content_html": "<p><em>History:</em></p><ul><li><em>09/11/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities [1]. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing [2].</p><p>It is highly recommended applying the fixes as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>This month's Patch Tuesday fixes six actively exploited zero-day vulnerabilities (publicly disclosed or actively exploited with no official fix available), with one being publicly disclosed:</p><ul><li><p><code>CVE-2022-41128</code> is a Remote Code Execution vulnerability in the JScript9 Scripting Language. This could be exploited by convincing a user to visit a specially crafted server share or website (usually using phishing techniques).</p></li><li><p><code>CVE-2022-41091</code> is a Security Feature Bypassing vulnerability. An attacker could craft a malicious file that will evade Mark of the Web (MOTW) defences resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging [3].</p></li><li><p><code>CVE-2022-41073</code> is an Elevation of Privilege Vulnerability, which could allow an attacker to gain <strong>SYSTEM</strong> privileges by exploiting a flaw in the Windows Print Spooler.</p></li><li><p><code>CVE-2022-41125</code> is an Elevation of Privilege Vulnerability, which could allow an attacker to gain <strong>SYSTEM</strong> privileges by exploiting a flaw in the Windows CNG Key Isolation Service.</p></li><li><p><code>CVE-2022-41040</code> is an Elevation of Privilege Vulnerability in Microsoft Exchange Server (<code>ProxyNotShell</code>), that could allow an attacker to run PowerShell in the context of the <strong>SYSTEM</strong>.</p></li><li><p><code>CVE-2022-41082</code> is a Remote Code Execution Vulnerability in Microsoft Exchange Server (<code>ProxyNotShell</code>). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.</p></li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>Microsoft Windows Server from version 2008 R2, to version 2022 are affected.</li><li>Microsoft Windows Desktop from version Windows 7, to version Windows 11 are affected.</li><li>Microsoft Exchange Server 2013 Cumulative Update 23 is affected [4]</li><li>Microsoft Exchange Server 2016 Cumulative Updates 22 and 23 are affected [4]</li><li>Microsoft Exchange Server 2019 Cumulative Updates 11 and 12 are affected [4]</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends applying the available fixes as soon as possible. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/November-2022.html\">https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/November-2022.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/\">https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2022-patch-tuesday-fixes-6-exploited-zero-days-68-flaws/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/wdormann/status/1544416883419619333\">https://twitter.com/wdormann/status/1544416883419619333</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d\">https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}