ProxyNotShell Finally Gets Patched by Microsoft

Microsoft’s November 2022 Patch Tuesday includes fixes for more than 60 vulnerabilities affecting almost 40 different products, features and roles – including patches for CVE-2022-41040 and CVE-2022-41082, the ProxyNotShell flaws disclosed last month.

“It took Microsoft more than two months to provide the patch, even though the company admitted that ProxyNotShell actively exploited the vulnerabilities in targeted attacks against at least 10 large organizations,” Mike Walters, vice president of vulnerability and threat research at Action1, said by email.

“During this period, Microsoft proposed some mitigation measures, which it revised in response to intense criticism,” Walters added. “However, even the revised measures have not been a panacea, so it is good news that an official patch is available now. Installing it promptly is highly advisable.”

Regarding any previously applied mitigations for those flaws, the Microsoft Exchange Team advised, “Mitigations are not actual code fixes of specific vulnerabilities. Please install the November 2022 (or later) SU on your Exchange servers to address CVE-2022-41040 and CVE-2022-41082.”

Also read: Is the Answer to Vulnerabilities Patch Management as a Service?

Other Threats Patched Too

Several other patches address flaws that are currently being exploited in the wild.

One of those is CVE-2022-41128, a remote code execution flaw with a CVSS score of 8.8, impacting the JScript9 scripting language. “It has low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website,” Walters said.

In addition to installing the update, Walter suggested the flaw should serve as a reminder to train all users on identifying and reporting phishing attacks.

Syxsense founder and CEO Ashley Leonard said by email that another flaw, CVE-2022-41091, is notable due to the fact that the steps to exploit it are available online. “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Leonard said.

Automox researcher Gina Geisel noted that CVE-2022-41125, a privilege escalation flaw in Windows CNG Key Isolation Service, is also being actively exploited. “With a long list of Windows 10 and 11 impacted (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts,” she wrote in a blog post.

And Qualys director of vulnerability and threat research Bharat Jogi highlighted CVE-2022-41073, a Windows Print Spooler privilege escalation vulnerability that’s also being exploited in the wild. “Print Spooler is not new to zero days by any means, with a multitude of vulnerabilities having been identified over the years – one of which was used in the highly sophisticated nation-state Stuxnet attack,” he said.

Vulnerable Time of Year

While patching critical flaws like ProxyNotShell immediately is always important, Jogi noted one additional reason to take patching seriously now: the coming holidays.

“As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds etc.),” Jogi said. “It is likely we will see bad actors attempting to take advantage of disclosed zero days and vulnerabilities released that organizations have left unpatched.”

See the Top Patch Management Products

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles