The Microsoft November 2022 Security Updates includes patches and advisories for 65 vulnerabilities, including 6 zero-days and 10 Critical severity issues.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:
- .NET Framework
- AMD CPU Branch
- Azure Real Time Operating System
- Linux Kernel
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Word
- Network Policy Server (NPS)
- Open Source Software
- Role: Windows Hyper-V
- Visual Studio
- Windows Advanced Local Procedure Call
- Windows ALPC
- Windows Bind Filter Driver
- Windows BitLocker
- Windows CNG Key Isolation Service
- Windows Devices Human Interface
- Windows Digital Media
- Windows DWM Core Library
- Windows Extensible File Allocation
- Windows Group Policy Preference Client
- Windows HTTP.sys
- Windows Kerberos
- Windows Mark of the Web (MOTW)
- Windows Netlogon
- Windows Network Address Translation (NAT)
- Windows ODBC Driver
- Windows Overlay Filter
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Resilient File System (ReFS)
- Windows Scripting
- Windows Win32K.
On September 30, 2022, Microsoft released a security advisory for two zero-day Exchange vulnerabilities, dubbed “ProxyNotShell” (CVE-2022-41040 and CVE-2022-41082). As of the October security updates, Microsoft had not yet provided any patches to address ProxyNotShell.
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft wrote in a blog post.
On November 8, 2022, Microsoft updated each of the advisories with new patches to fix ProxyNotShell (along with CVSS scores):
- CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability (CVSS 8.8)
- CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability (CVSS 8.0).
For both issues, Microsoft confirmed exploitation was detected in the wild.
In addition, Microsoft patched four other zero-day vulnerabilities:
- CVE-2022-41073: Windows Print Spooler Elevation of Privilege Vulnerability (CVSS 7.8)
- CVE-2022-41091: Windows Mark of the Web Security Feature Bypass Vulnerability (CVSS 5.4)
- CVE-2022-41125: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability (CVSS 7.8)
- CVE-2022-41128: Windows Scripting Languages Remote Code Execution Vulnerability (CVSS 8.8).
Microsoft warned all four of these vulnerabilities have exploits detected in the wild.
On October 25, 2022, OpenSSL previously released an announcement that forewarned of an upcoming “Critical” patch for a Critical vulnerability in OpenSSL versions 3.0 and above.
In a more recent security update on November 1, 2022, OpenSSL released security updates for the OpenSSL vulnerabilities (CVE-2022-3786 and CVE-2022-3602). However, they downgraded the issues from Critical to High severity after receiving feedback on the issue from several organizations.
Microsoft released the following two security advisories related to the OpenSSL vulnerabilities that impact multiple Microsoft products:
- CVE-2022-3786: OpenSSL: X.509 certificate verification buffer overrun
- CVE-2022-3602: OpenSSL: X.509 certificate verification buffer overrun.
Microsoft wrote that “exploitation is more likely.”
Moreover, Microsoft noted CVE-2022-3786 is in OpenSSL Software, which is consumed by multiple affected Microsoft products (Azure SDK for C++, vcpkg, and Microsoft Azure Kubernetes Service). However, the software giant confirmed that “the latest builds of these products are no longer vulnerable.”
Microsoft also addressed the following additional Critical vulnerabilities:
- CVE-2022-41080: Microsoft Exchange Server Elevation of Privilege (EoP) Vulnerability (CVSS 8.8)
- CVE-2022-37966: Windows Kerberos RC4-HMAC Elevation of Privilege (EoP) Vulnerability (CVSS 8.1)
- CVE-2022-41044: Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability (CVSS 8.1)
- CVE-2022-41088: Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability (CVSS 8.1)
- CVE-2022-41118: Windows Scripting Languages Remote Code Execution (RCE) Vulnerability (CVSS 7.5).
Microsoft also added CVE-2022-41080, CVE-2022-37966, and CVE-2022-41118 are all “more likely” to be exploited. CVE-2022-41044 and CVE-2022-41088 are “less likely” to be exploited.
- Microsoft October 2022 Security Updates addresses 84 vulnerabilities (13 rated Critical, 2 zero-days)
- OpenSSL fixes 2 High risk vulnerabilities (CVE-2022-3786 and CVE-2022-3602)
- OpenSSL forewarns of upcoming Critical patch (prepare now)
- CISA adds 3 vulnerabilities to Known Exploited Vulnerabilities Catalog
- Microsoft update for Microsoft Exchange Server zero-day vulnerabilities
- Adobe security updates for multiple products (17 Critical vulnerabilities fixed)