Remember those Exchange zero-days that emerged in a blaze of publicity back in September 2022?
Those flaws, and attacks based on them, were wittily but misleadingly dubbed ProxyNotShell because the vulnerabilities involved were reminiscent of the ProxyShell security flaw in Exchange that hit the news in August 2021.
Fortunately, unlike ProxyShell, the new bugs weren’t directly exploitable by anyone with an internet connection and a misguided sense of cybersecurity adventure.
This time, you needed an authenticated connection, typically meaning that you first had to acquire or correctly guess an existing user’s email password, and then to make a deliberate attempt to login where you knew you weren’t supposed to be, before you could perform any “research” to “help” the server’s sysadmins with their work:
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
As an aside, we suspect that many of the thousands of self-styled “cybersecurity researchers” who were happy to probe other people’s servers “for fun” when the Log4Shell and ProxyShell bugs were all the rage did so knowing that they could fall back on the presumption of innocence if caught and criticised. But we suspect that they thought twice before getting caught actually pretending to be users they knew they weren’t, trying to access servers under cover of accounts they knew were supposed to be off-limits, and then falling back on the “we were only trying to help” excuse.
So, although we hoped that Microsoft would come up with a quick, out-of-band fix, we didn’t expect one…
…and we therefore assumed, probably in common with most Naked Security readers, that the patches would arrive calmly and unhurriedly as part of the October 2022 Patch Tuesday, still more than two weeks away.
After all, rushing out cybersecurity fixes is a little bit like running with scissors or using the top step of a stepladder: there are ways to do it safely if you really must, but it’s better to avoid doing so altogether if you can.
However, the patches didn’t appear on Patch Tuesday either, admittedly to our mild surprise, although we felt as good as certain that the fixes would turn up in the November 2022 Patch Tuesday at the latest:
https://nakedsecurity.sophos.com/2022/10/12/patch-tuesday-in-brief-one-0-day-fixed-but-no-patches-for-exchange/
Intriguingly, we were wrong again (strictly speaking, at least): the ProxyNotShell patches didn’t make it into November’s Patch Tuesday, but they did get patched on Patch Tuesday, arriving instead in a series of Exchange Security Updates (SUs) released on the same day:
The November 2022 [Exchange] SUs are available for [Exchange 2013, 2016 and 2019].
Because we are aware of active exploits of related vulnerabilities (limited targeted attacks), our recommendation is to install these updates immediately to be protected against these attacks.
The November 2022 SUs contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082).
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.
We’re guessing that these fixes weren’t part of the regular Patch Tuesday mechanism because they aren’t what Microsoft refer to as CUs, short for cumulative updates.
This means that you first need to ensure that your current Exchange installation is up-to-date enough to accept the new patches, and the preparatory process is slightly different depending on which Exchange version you have.
62 more holes, 4 new zero-days
Those old Exchange bugs weren’t the only zero-days patched on Patch Tuesday.
The regular Windows Patch Tuesday updates deal with a further 62 security holes, four of which are bugs that unknown attackers found first, and are already exploiting for undisclosed purposes, or zero-days for short.
(Zero because there were zero days on which you could have applied the patches ahead of the crooks, no matter how fast you deploy updates.)
We’ll summarise those four zero-day bugs quickly here; for more detailed coverage of all 62 vulnerabilities, along with statistics about the distribution of the bugs in general, please consult the SophosLabs report on our sister site Sophos News:
Microsoft patches 62 vulnerabilities, including Kerberos, and Mark of the Web, and Exchange…sort of
Zero-days fixed in this month’s Patch Tuesday fixes:
- CVE-2022-41128: Windows Scripting Languages Remote Code Execution Vulnerability. The title says it all: booby-trapped scripts from a remote site could escape from the sandbox that is supposed to render them harmless, and run code of an attacker’s choice. Typically, this means that even a well-informed user who merely looked at a web page on a booby-trapped server could end up with malware sneakily implanted on their computer, without any clicking any download links, seeing any popups, or clicking through any security warnings. Apparently, this bug exists in Microsoft’s old
Jscript9JavaScript engine, no longer used in Edge (which now uses Google’s V8 JavaScript system), but still used by other Microsoft apps, including the legacy Internet Explorer browser. - CVE-2022-41073: Windows Print Spooler Elevation of Privilege Vulnerability. Print spoolers exist to capture printer output from many different programs and users, and even from remote computers, and then to deliver it in an orderly fashion to the desired device, even if it was out of paper when you tried printing, or was already busy printing out a lengthy job for someone else. This typically means that spoolers are programmatically complex, and require system-level privileges so they can act as a “negotiators” between unprivileged users and the printer hardware. The Windows Printer Spooler uses the locally all-powerful
SYSTEMaccount, and as Microsoft’s bulletin notes: “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” - CVE-2022-41125: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability. As in the Print Spooler bug above, attackers who want to exploit this hole need a foothold on your system first. But even if they are logged in as a regular user or a guest to start with, they could end up with sysadmin-like powers by wriggling through this security hole. Ironically, this bug exists in a specially-protected process run as part of what’s called the Windows LSA (local system authority) that’s supposed to make it hard for attackers to extract cached passwords and cryptographic keys out of system memory. We’re guessing that after exploiting this bug, the attackers would be able to bypass the very security that the Key Isolation Service itself is supposed to provide, along with bypassing most other security settings on the computer.
- CVE-2022-41091: Windows Mark of the Web Security Feature Bypass Vulnerability. Microsoft’s MoTW (mark of the web) is the company’s cute name for what used to be known simply as Internet Zones: a “data label” saved along with a downloaded file that keeps a record of where that file originally came from. Windows then automatically varies its security settings accordingly whenever you subsequently use the file. Notably, Office files saved from email attachments or fetched from outside the company will automatically open up in so-called Protected View by default, thus blocking macros and other potentially dangerous content. Simply put, this exploit means that an attacker can trick Windows into saving untrusted files without correctly recording where they came from, thus exposing you or your colleagues to danger when you later open or share those files.
What to do?
- Patch Early/Patch Often. Because you can.
- If you have any on-premises Exchange servers, don’t forget to patch them too, because the Exchange 0-day patches described above won’t show up as part of the regular Patch Tuesday update process.
- Read the Sophos News article for further information on the other 58 Patch Tuesday fixes not covered explicitly here.
- Don’t delay/Do it today. Because four of the bugs fixes are newly-uncovered zero-days already being abused by active attackers.