--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Exploited 0-days and Critical Vulnerabilities in Microsoft Windows' version: '1.0' number: '2022-079' original_date: 'November 8, 2022' date: 'November 9, 2022' --- _History:_ * _09/11/2022 --- v1.0 -- Initial publication_ # Summary On November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities [1]. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing [2]. It is highly recommended applying the fixes as soon as possible. # Technical Details This month's Patch Tuesday fixes six actively exploited zero-day vulnerabilities (publicly disclosed or actively exploited with no official fix available), with one being publicly disclosed: * `CVE-2022-41128` is a Remote Code Execution vulnerability in the JScript9 Scripting Language. This could be exploited by convincing a user to visit a specially crafted server share or website (usually using phishing techniques). * `CVE-2022-41091` is a Security Feature Bypassing vulnerability. An attacker could craft a malicious file that will evade Mark of the Web (MOTW) defences resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging [3]. * `CVE-2022-41073` is an Elevation of Privilege Vulnerability, which could allow an attacker to gain **SYSTEM** privileges by exploiting a flaw in the Windows Print Spooler. * `CVE-2022-41125` is an Elevation of Privilege Vulnerability, which could allow an attacker to gain **SYSTEM** privileges by exploiting a flaw in the Windows CNG Key Isolation Service. * `CVE-2022-41040` is an Elevation of Privilege Vulnerability in Microsoft Exchange Server (`ProxyNotShell`), that could allow an attacker to run PowerShell in the context of the **SYSTEM**. * `CVE-2022-41082` is a Remote Code Execution Vulnerability in Microsoft Exchange Server (`ProxyNotShell`). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. # Affected Products * Microsoft Windows Server from version 2008 R2, to version 2022 are affected. * Microsoft Windows Desktop from version Windows 7, to version Windows 11 are affected. * Microsoft Exchange Server 2013 Cumulative Update 23 is affected [4] * Microsoft Exchange Server 2016 Cumulative Updates 22 and 23 are affected [4] * Microsoft Exchange Server 2019 Cumulative Updates 11 and 12 are affected [4] # Recommendations CERT-EU recommends applying the available fixes as soon as possible. # References [1] [2] [3] [4]