November 8, 2022

Let’s face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we’ve patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November’s patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.

Probably the scariest of the zero-day flaws is CVE-2022-41128, a “critical” weakness in the Windows scripting languages that could be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness. Microsoft credits Google with reporting the vulnerability, which earned a CVSS score of 8.8.

CVE-2022-41073 is a zero-day flaw in the Windows Print Spooler, a Windows component that Microsoft has patched mightily over the past year. Kevin Breen, director of cyber threat research at Immersive Labs, noted that the print spooler has been a popular target for vulnerabilities in the last 12 months, with this marking the 9th patch.

The third zero-day Microsoft patched this month is CVE-2022-41125, which is an “elevation of privilege” vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service, a service for isolating private keys. Satnam Narang, senior staff research engineer at Tenable, said exploitation of this vulnerability could grant an attacker SYSTEM privileges.

The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.

The other two zero-day bugs Microsoft patched this month were for vulnerabilities being exploited in Exchange Server. News that these two Exchange flaws were being exploited in the wild surfaced in late September 2022, and many were surprised when Microsoft let October’s Patch Tuesday sail by without issuing official patches for them (the company instead issued mitigation instructions that it was forced to revise multiple times). Today’s patch batch addresses both issues.

Greg Wiseman, product manager at Rapid7, said the Exchange flaw CVE-2022-41040 is a “critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

“Both vulnerabilities have been exploited in the wild,” Wiseman said. “Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.”

Adobe usually issues security updates for its products on Patch Tuesday, but it did not this month. For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

14 thoughts on “Patch Tuesday, November 2022 Election Edition

  1. Alfonso

    I have unsubscribed from this site as much as 8 times. Have the screenshots telling me that I will get a confirmation mail. What’s up with that? What’s up with your site?
    I hope this is the last time I have to do this.

    1. Myrddin Emrys

      I can’t speak to Kreb’s site inner workings, but the most common reason that an unsubscribe fails to work is because the address you’re sending the request from isn’t the address that the content is being delivered to. Did you perhaps add +flags to your address, or do you have multiple addresses that redirect? A vanity domain that forwards to Gmail (or vice-versa)?

      Inspect the headers of the unwanted content to see the address it’s delivering to, then compose your unsubscribe request and ensure your email client is using the same sender address and reply address as it’s being delivered to.

  2. Anony-mouse

    I appreciate your patch posts, I always check here for anything particularly nasty, before updating the network.

  3. JohnnyT

    6 zero days? Seriously?

    Bill sent his “security is important” email on January 15, 2002. We are over 20 years down the road from Bill getting a Clue(TM) and Microsoft are still producing enough zero days to support a thriving world wide black hat industry along with multiple vicious nation-state actors.

    We are ill-served by M$. We need trustworthiness, not ads in our menus.

    1. Myrddin Emrys

      I’m no Microsoft Apologist, but the main driver for Microsoft’s massive security holes is their tireless support of backwards compatibility. If they dropped all legacy support (drivers, printers, technologies, languages, interfaces) next year for any hardware or software more than 5 years old they would remove 95% of their attack surface… but it’ll never happen.

      1. JohnnyT

        Agreed, however: The security problems caused by “tireless support of backwards compatibility” could be at least partly mitigated by containerization and jails. But we get ads instead, and the munificent opportunity to pay a “subscription” for those ads forever.

  4. Rainman

    Possibly bad timing. Could you imagine if voting systems start automatically rebooting in the middle of voting because patches have finished installing.

    1. BEC

      Normally I would say those systems aren´t online, but Arizona proves me wrong this time

  5. Rain man

    Possibly bad timing. Could you imagine if voting systems start automatically rebooting in the middle of voting because patches have finished installing.

  6. Rainman

    Could you imagine if voting systems start automatically rebooting in the middle of voting because patches have finished installing.

  7. Jim

    Interesting article. Good job Krebs. And I would disagree with some of your commenters. About older systems being the cause of many of ms’s problems. I would say it is more in the lines of ” churning”. Old verses new equipment, not everyone can afford the latest sparkly computer, telephone, or printer. Or even hamburger nowadays. Remember some minor issue, called supply chains. Where one country controls, magnets, plastic production, copper mining. Gold mining, silicon, oh, call it an unfriendly country, they are acting unfriendly, and do they give a dam*** about the us? Or us? The people, their consumers? Sorry for the rant. But not everyone can buy the latest sparkly, the biggest and the best, and some of the drivers should be universal and build upon the past generations. Like print drivers, spoolers, video drivers. Etc…each upgrade should have increased security, not profits.

    1. mealy

      Someone has to write the updates. That person you want to be paid properly or you’re relying on a goodwill system of enthusiasts like Linux, and when you’re selling proprietary software there’s an inherent incompatibility with making it free and owned by everyone. Third party drivers for random obsolete products like printers, scanners, routers, or anything else all have to come from somewhere and the number of experts able to update old systems to current security paradigms, all of this for free, is beyond unicorn limited. If you are selling a one-time purchase that has to update drivers and maintain the personnel and platforms to do that into infinity, that’s just resource impossible. They have to keep selling something, either a subscription or a new version with the updates. As long as they are above board and handle their side of the bargain, this isn’t shady or planned obsolecense, just linear time as new risks are exposed to be patched – or left wide open forever. When the number of people affected is low, the interest in dedicating resources to fix it is extremely low. This isn’t the evil part.

  8. KR

    Today I updated my desktop and notebook, both on W10 21H2. Updates applied to both w/o incident and restarted OK. So far, so good….

Comments are closed.