Two zero-day vulnerabilities have been confirmed for Windows 10 and 11 users as the latest Patch Tuesday security update from Microsoft starts rolling out.
CVE-2022-44698 is one of two Zero-Day Windows vulnerabilities that have been fixed in the latest Microsoft Patch Tuesday security update. This vulnerability, which Microsoft confirms it has already detected being exploited, impacts most versions of Windows and sits within the SmartScreen security feature. Mike Walters, vice president of Vulnerability and Threat Research at Action1, warns that this “affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. The vulnerability has low complexity. It uses the network vector and requires no privilege escalation.”
Update Windows now to ensure your system is patched against latest exploits
Yet another Mark of the Web security issue for Windows users
Specifically, an attacker is able to create a file that can get around the Mark of the Web defense that is essential to features such as the protected view in Microsoft Office, for example. Windows SmartScreen checks for a Mark of the Web zone identifier to determine if the file being executed originates from the internet and, if so, performs a further reputational check. “An attacker with malicious content that would normally provoke a security alert could bypass that notification and thus infect even well-informed users without warning,” Paul Ducklin, writing for the Sophos Naked Security blog, said.
Will Dormann, who is credited with disclosing the vulnerability in the Microsoft security update guide, has been warning of numerous Mark of the Web vulnerabilities for the past six months. Only last month, Microsoft patched CVE-2022-41091, which was a Mark of the Web vulnerability, also being actively exploited by attackers.
MORE FOR YOU
Microsoft provides confirmed three potential attack scenarios, but doesn’t provide any further detail of which the exploits it has seen in the wild are using. Those three scenarios are as follows:
- A web-based attack using a malicious website
- An email, or instant message, attack which uses a malicious .url file
- A user-provided content attack where that content itself is malicious
Of course, all three attacks rely upon user action, such as downloading a file, clicking a link in an email, or being fooled into visiting a malicious site.
All of that said, threat actors have already used the vulnerability in ransomware distribution campaigns such as Magniber as well as malware campaigns spreading the QBot trojan.
New Windows 11 22H2 zero-day also confirmed
If that’s not reason enough to ensure you apply the December Patch Tuesday update packages as soon as possible, there’s more. This month, Microsoft has patched not one but two zero-day vulnerabilities. The second, CVE-2022-44710, has been publicly disclosed but is not known to have been exploited by threat actors, according to Microsoft. CVE-2022-44710 is what’s known as an elevation of privileges vulnerability, which could lead to the attacker gaining system privileges, and concerns the DirectX graphics kernel. The scope of this one is less broad than CVE-2022-44698 in that it only appears to impact users of Windows 11 version 22H2, which is the current latest iteration.
Six critical vulnerabilities patched by Microsoft’s December security update
Of course, it wouldn’t be Patch Tuesday if the security fixes were limited to two zero-days, no matter how serious that alone may be. In fact, the December Patch Tuesday release includes some 49 vulnerabilities, with six allowing for remote code execution (RCE) given a critical status:
- CVE-2022-41127 is an RCE involving Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On-Premises)
- CVE-2022-44690 and CVE-2022-44693 are both RCE vulnerabilities involving Microsoft SharePoint Server
- CVE-2022-41076 is an RCE impacting PowerShell
- CVE-2022-44670 and CVE-2022-44676 are both RCE vulnerabilities that were found to impact the Windows Secure Socket Tunneling Protocol (SSTP)
Angela Gunn, a senior threat researcher at Sophos, described the SharePoint vulnerabilities as enabling an “authenticated attacker with Manage List permissions could execute code remotely on a SharePoint Server in the course of a network-based attack.”
