Two zero-day vulnerabilities have been confirmed for Windows 10 and 11 users as Microsoft’s latest Patch Tuesday security update rolls out.
CVE-2022-44698 is one of two Zero-Day Windows vulnerabilities patched in the latest Microsoft Patch Tuesday security update. This vulnerability, which Microsoft confirms it has already detected exploited, affects most versions of Windows and is contained within the SmartScreen security feature. Mike Walters, Vice President of Vulnerability and Threat Research at Action1, warns that this “affects all Windows OS versions from Windows 7 and Windows Server 2008 R2 onwards. The vulnerability has a low complexity. It uses the network vector and does not require an escalation of privilege.”
Update Windows now to ensure your system is patched against the latest exploits
Yet another Mark of the Web security issue for Windows users
Specifically, an attacker could create a file that could bypass the Mark of the Web defenses that are essential for, say, Protected View in Microsoft Office. Windows SmartScreen checks for a Mark of the Web zone ID to determine whether the file being executed originates from the Internet and, if so, performs a further reputation check. “An attacker with malicious content that would normally trigger a security alert could bypass that alert and infect even well-informed users without warning,” writes Paul Ducklin, who writes for the Sophos Naked Security blogsaid.
Will Dorman, which is credited with revealing the vulnerability in the Microsoft Security Update Guide, has warned of numerous Mark of the Web vulnerabilities over the past six months. Just last month, Microsoft patched CVE-2022-41091, which was a Mark of the Web vulnerability, which was also actively exploited by attackers.
Microsoft offers confirmed three possible attack scenarios, but does not provide further details about the exploits it has seen in the wild. Those three scenarios are as follows:
- A web-based attack using a malicious website
- An email or instant message attack that uses a malicious .url file
- A user-supplied content where that content itself is malicious
Of course, all three attacks rely on user actions, such as downloading a file, clicking a link in an email, or being tricked into visiting a malicious site.
That all said, threat actors have already exploited the vulnerability in ransomware distribution campaigns, such as Magniber, and in malware campaigns that distribute the QBot trojan.
New Windows 11 22H2 zero-day also confirmed
If that’s not enough reason to make sure you apply the December Patch Tuesday rollups as soon as possible, there’s more. This month, Microsoft patched not one, but two zero-day vulnerabilities. The second, CVE-2022-44710, has been made public, but is not known to have been exploited by threat actors, Microsoft said. CVE-2022-44710 is what is known as an elevation of privilege vulnerability, which could allow the attacker to gain system privileges, and affects the DirectX graphics kernel. The scope of this is narrower than that of CVE-2022-44698, as it appears to only affect users of Windows 11 version 22H2, the current latest iteration.
Six critical vulnerabilities patched by Microsoft’s December security update
Of course, it wouldn’t be Patch Tuesday if security fixes were limited to two zero-days, however severe that alone may be. In fact, the December patch Tuesday release contains some 49 vulnerabilities, six of which allow remote code execution (RCE) in a critical state:
- CVE-2022-41127 is an RCE involving Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On-Premises)
- CVE-2022-44690 and CVE-2022-44693 are both RCE vulnerabilities related to Microsoft SharePoint Server
- CVE-2022-41076 is an RCE that affects PowerShell
- CVE-2022-44670 and CVE-2022-44676 are both RCE vulnerabilities that have been found to affect the Windows Secure Socket Tunneling Protocol (SSTP)
Angela Gunn, a senior threat researcher at Sophos, described the SharePoint vulnerabilities because enabling an “authenticated attacker with management list permissions could allow remote code execution on a SharePoint server during a network-based attack.”
