Microsoft’s October 2022 Patch Tuesday includes security updates that fix well over 80 vulnerabilities in more than 50 different parts of its product range – but the ProxyNotShell flaws in Exchange Server that were reported last month are not on the list.
Key vulnerabilities patched include CVE-2022-41033, a zero-day flaw in the Windows COM+ Event System Service that’s being actively exploited and can provide an attacker with system privileges; and CVE-2022-34689, a Windows CryptoAPI flaw reported by the U.K. National Cyber Security Centre (NCSC) and the U.S. National Security Agency (NSA) that could enable an attacker to manipulate an X.509 certificate to spoof their identity.
SANS dean of research Johannes B. Ullrich noted in an analysis of the updates that the most severe of the flaws is CVE-2022-37968, an elevation of privilege vulnerability affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters, which was given a CVSS score of 10.0. The flaw could provide an attacker with administrative control over a Kubernetes cluster.
Still, Sophos researchers Angela Gunn and Matt Wixey noted that even an apparently innocuous vulnerability like CVE-2022-38022, which only allows an attacker to delete an empty folder on a file system, serves as “a reminder that in a world of chained attacks, a tiny flaw such as this should be patched because it can be part of a bigger attack sequence.”
ProxyNotShell Not Quelled
Notably, the updates don’t include any patches for ProxyNotShell, the pair of zero-day remote code execution flaws in Microsoft Exchange Server that were uncovered last month by the Vietnamese security firm GTSC.
Microsoft highlighted that fact in a blog post detailing Exchange Server security updates, writing, “The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.”
Qualys security researcher Ankit Malhotra suggested Microsoft is “likely trying to be extra cautious, not wanting to rush into releasing incomplete patches. It’s worth noting that Microsoft has had to revise the mitigation for CVE-2022-41040 more than once as the recommended URL rewrite mitigation was bypassed multiple times.”
Malhotra said ProxyNotShell will likely see increased exploitation, since Exchange Server is a particularly attractive target for two key reasons. “First, Exchange is an email server so it must be connected directly to the internet,” he said. “And being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked. Secondly, Exchange is a mission critical function – organizations can’t just unplug or turn off email without severely impacting their business in a negative way.”
New RSS Feed for Security Notifications
Microsoft also announced a new RSS feed for users to stay on top of security notifications.
The Security Update Guide will also be a source of vulnerability information outside of the monthly patch cycle for Microsoft to share mitigations on new vulnerabilities.
Microsoft has also changed the way users receive email notifications.
Active Directory Changes
As Microsoft Active Directory senior program manager Cliff Fisher noted on Twitter, the company also made significant changes to Active Directory environments, including the ability to lock out admin accounts after a certain number of incorrect password attempts in order to mitigate brute force attacks.
The new policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies. Microsoft’s baseline recommendation is to set them to 10/10/10, meaning an account would be locked out after 10 failed attempts within 10 minutes, and the lockout would last for 10 minutes.
To improve password security, local administrator account passwords on new machines will also be required to have at least three of the four basic character types (lower case, upper case, numbers, and symbols) – though if you want to use a less complex password, that can be changed at Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.