- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Microsoft Patches Six Zero-Day Bugs this Month
Microsoft released a relatively low number of security updates on Patch Tuesday yesterday, but six of the CVEs are being actively exploited in the wild.
Among these are the so-called “ProxyNotShell” bugs in Microsoft Exchange Server first revealed in September. Elevation of privilege vulnerability CVE-2022-41040 and remote code execution (RCE) bug CVE-2022-41082 are being exploited by Chinese threat actors, according to Automox senior product manager, Preetham Gurram.
“We recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid exchange servers where temporary mitigation has not been applied,” he said.
The other zero-days ready for patching this month include critical RCE vulnerability CVE-2022-41128, which impacts the JScript9 scripting language, and CVE-2022-41073, which affects Windows Print Spooler.
CVE-2022-41125 is a privilege escalation vulnerability affecting the Windows Next-Generation Cryptography (CNG) Key Isolation service, while CVE-2022-41091 is described as a Windows Mark of the Web (MotW) security feature bypass vulnerability and was widely publicized in October.
The work for Exchange Server customers doesn’t end with patching the ProxyNotShell CVEs, according to Rapid7 lead product manager, Greg Wiseman.
“Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as important, and CVE-2022-41080 is another privilege escalation vulnerability considered critical,” he explained.
“Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.”
Microsoft also released a non-CVE security advisory this month; its third of the year.
ADV220003 is a “defense-in-depth” update for Microsoft Office 2013 and 2016.
According to Wiseman, it “improves validation of documents protected via Microsoft’s Information Rights Management (IRM) technology – a feature of somewhat dubious value.”
Microsoft fixed a total of 68 vulnerabilities this month, including 11 rated critical.