Get in Touch
November Patch Tuesday
Microsoft has released patches to address 67 vulnerabilities including six they’ve marked as actively exploited zero-days. These include a Windows Scripting remote code execution (RCE), (CVE-2022-41128), a Mark of the Web (MotW) bypass (CVE-2022-41091), an Escalation of Privilege (EoP) in Print Spooler (CVE-2022-41073), an EoP in a Local Security Authority (LSA) cryptography service (CVE-2022-41125), an EoP (CVE-2022-41040) and an RCE (CVE-2022-41082) in Exchange Server.
Another notable vulnerability this month is in Netlogon (CVE-2022-38023) which operates similarly to the Zerologon attack. This one is only rated as High severity due to complexity (the attack requires some information about the network) but exploitation is considered more likely.
In total there are 27 EoPs, 16 RCEs, 11 Information Disclosures, six Denial of Services (DOS), three spoofing instances and four security feature bypasses.
CVE-2022-38023 – A network-based attacker could gain administrator privileges.
CVE-2022-41128 – An attacker could execute code on a vulnerable machine if they were able to entice a user into connecting to a malicious server.
CVE-2022-41091, CVE-2022-41049 (ZippyReads) – An attacker could craft a malicious file which bypasses Microsoft’s MotW protections.
CVE-2022-41073, CVE-2022-41125, CVE-2022-41040 – A local Windows user could gain system-level privileges.
CVE-2022-41082 (ProxyNotShell) – An authenticated, network-based attacker could execute code on a Microsoft Exchange server.
AMD CPU Branch
Azure Real Time Operating System
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Network Policy Server (NPS)
Open Source Software
Role: Windows Hyper-V
Windows Advanced Local Procedure Call
Windows Bind Filter Driver
Windows CNG Key Isolation Service
Windows Devices Human Interface
Windows Digital Media
Windows DWM Core Library
Windows Extensible File Allocation
Windows Group Policy Preference Client
Windows Mark of the Web (MOTW)
Windows Network Address Translation (NAT)
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Resilient File System (ReFS)
Containment, Mitigations & Remediations
Microsoft has written advice for admins about enforcing Netlogon protections.
Indicators of Compromise
ZippyReads in the wild
T1210 – Exploitation of Remote Services
T1212 – Exploitation for Credential Access
T1068 – Exploitation for Privilege Escalation
November 2022 Security Updates
CVE – Common vulnerabilities and exposures (a scheme to categorise and index vulnerabilities)
DoS – Denial of Service (an attack that prevents a service from operating)
EoP – Escalation of Privilege
IoC – Indicator of Compromise (an artifact that can be used to identify malicious activity such as an Internet Protocol (IP) or domain used by an attacker)
LPE – Local Privilege Escalation (allows a user to gain more permissions on a device)
MotW – Mark of the Web (a safety feature to discourage users from running things they’ve just downloaded)
RCE – Remote Code Execution (a hacking tool that allows the attacker to run code on another machine)