Satnam

“This month, Microsoft addressed four zero-day vulnerabilities, with all four being exploited in the wild, though one was previously disclosed prior to patches becoming available.

“CVE-2022-41073 is an elevation of privilege vulnerability in Windows Print Spooler. Print Spooler vulnerabilities gained notoriety following the disclosure of PrintNightmare flaws in June (CVE-2021-1675) and July (CVE-2021-34527). Despite there being several Print Spooler related vulnerabilities disclosed by security researchers since last year, it appears that CVE-2022-41073 is the first Print Spooler vulnerability post PrintNightmare that was first exploited in the wild by attackers. We’ve long warned that once Pandora’s box was open with PrintNightmare, that flaws within Windows Print Spooler would come back to haunt organisations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution. Its discovery was credited to the Microsoft Threat Intelligence Center.

“CVE-2022-41128 is a remote code execution vulnerability in the Windows Scripting Languages. Specifically, it affects Microsoft’s JScript9 scripting language. Exploitation requires user interaction, so an attacker would need to convince a victim running a vulnerable version of Windows to visit a specially crafted server share or website through some type of social engineering. According to Microsoft, it was exploited in the wild and disclosed by Clément Lecigne of Google’s Threat Analysis Group.

“CVE-2022-41125 is an elevation of privilege vulnerability in the Windows Cryptography API: Next Generation (CNG) Key Isolation Service, a service for isolating private keys that’s hosted in the Local Security Authority (LSA) process. Exploitation of this vulnerability could grant an attacker SYSTEM privileges. It was exploited in the wild by attackers and is attributed to both the Microsoft Threat Intelligence Center and the Microsoft’s Security Response Center.

“CVE-2022-41091 is one of two security feature bypass vulnerabilities in Windows Mark of the Web (MoTW). MoTW is a feature designed to flag files that have been downloaded from the internet, prompting users with a security warning banner, asking them to confirm the document is trusted by selecting Enable content. Though it was not credited to any researcher in particular, this vulnerability was recently discovered as being exploited in the wild by the Magniber ransomware group as fake software updates according to researchers at HP. The other security feature bypass in MoTW, CVE-2022-41049, was disclosed to Microsoft by researcher Will Dormann.

“Thankfully, Microsoft patched both CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, during this month’s Patch Tuesday release. It’s been over a month since these flaws were disclosed. While the impact of ProxyNotShell is limited due to the authentication requirement, the fact that it has been exploited in the wild and that attackers are capable of obtaining valid credentials still make these important flaws to patch.” — Satnam Narang, Sr. Staff Research Engineer at Tenable