“If that happens, 2022 would be the second busiest year for Microsoft CVEs,” noted Dustin Childs of Trend Micro’s Zero Day Initiative.ġ5 of the 85 vulnerabilities addressed in the October Patch Tuesday are rated Critical in severity, 69 as Important and one as moderately severe. Microsoft is all set to cross last year’s total vulnerability patch count of 1,200 in 2022, with the total number of CVEs addressed until October Patch Tuesday hovering around the 1,100 mark. What is unusual, however, is that the company has failed to develop a patch for the two Exchange Server vulnerabilities that came to light earlier this month. “Several distinct malware families, associated with distinct threat actors, have been signed with this process,” Mandiant researchers said, noting that they “identified at least nine unique organization names associated with attestation signed malware.On Tuesday, Microsoft rolled out security patches for 85 vulnerabilities, a number not unusual for the company’s October Patch Tuesday. Users and admins are advised to install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date and enabled.įollowing the release of these updates and the advisory, Mandiant, Sophos and SentinelOne published their research into this particular attack avenue. Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.” “Microsoft has released Windows Security Updates revoking the certificate for impacted files and suspended the partners’ seller accounts. “We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat,” the company said. Microsoft’s investigation into the matter has revealed that several developer accounts for the Microsoft Partner Center were submitting malicious drivers in an attempt to get them signed by Microsoft, so they could terminate EDR agents on targeted endpoints. “In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,” Microsoft noted. In late October, Microsoft has been alerted to the fact that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity related to (Cuba) ransomware attacks. Maliciously used drivers signed by Microsoft SharePoint admins should fix two RCEs ( CVE-2022-44690 and CVE-2022-44693) that, luckily, require special permissions and pre-exploit authentication. There aren’t many who wouldn’t open that file in that scenario,” he noted. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled ‘Executive_Compensation.xlsx’. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Trend Micro‘s Dustin Childs also singled out CVE-2022-44713, a spoofing vulnerability affecting Microsoft Outlook for Mac, as potentially very dangerous and ideal for phishers. Given that this scripting tool is often abused by attackers, everybody should prioritize this fix. “An authenticated attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system,” Microsoft explained. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality.” Other fixed vulnerabilities of noteĬVE-2022-41076 is a PowerShell RCE that can be triggered by attackers that don’t have elevated privileges, but have to take additional actions prior to exploitation to prepare the target environment. “A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging – for example, ‘Protected View’ in Microsoft Office. However, it does need user interaction attackers need to dupe a victim into visiting a malicious website through phishing emails or other forms of social engineering to exploit the security feature bypass,” Mike Walters, VP of Vulnerability and Threat Research at Action1, told Help Net Security. It uses the network vector, and requires no privilege escalation. It’s December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to deliver a variety of malware.ĬVE-2022-44698 affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |