IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft still searching for zero-day fixes following Patch Tuesday

ProxyNotShell remains unaddressed even as Microsoft fixes several critical flaws in its monthly package of security patches

Microsoft has released patches for 96 different vulnerabilities in its monthly Patch Tuesday, but has still failed to address the zero-days dubbed ‘ProxyNotShell’, leaving Exchange Servers at potential risk as the company searches for a solution.

Discovered last month, the pair of zero-day vulnerabilities that comprise ProxyNotShell consists of a server-side request forgery (SSRF) flaw and a remote code execution (RCE) bug that affects Microsoft Exchange versions 2013, 2016, and 2019.

There is evidence threat actors have already used the pair to install the China Chopper web shell on Exchange servers in the wild and Microsoft's attempts to mitigate the attacks have been shrouded in confusion.

Exchange Server customers are still waiting for a full patch to fix the widely discussed exploit, beyond manual mitigations already supplied publicly. Experts told IT Pro that customers may begin to question why a patch has taken so long for such a ubiquitous product.

“With products as complex as Microsoft Exchange, one can empathise with how long it is taking to develop - but that is the cost of doing business and when so many organisations rely on your products for their day-to-day operations, security patches in particular need to be prioritised so that customers are not left vulnerable," said Javvad Malik, lead security awareness advocate at KnowBe4.

Microsoft may also be pursuing fixes for an additional zero-day vulnerability that has supposedly led to a wave of recent LockBit ransomware attacks on Exchange Server customers.

Discovered by cyber security researchers at South Korean firm AhnLab, the company's report indicated that attacks have been observed using web shells to perform privilege escalation and exfiltrate terabytes of data.

Other security researchers have expressed doubt over the lack of evidence used to reinforce claims in the AhnLab report, which is at the time of writing returning a 404 error indicating that it may have been taken down by the researchers following criticism.

“There's a lot going on in this report about LockBit ransomware, and I'm not convinced it's a zero-day (there's no evidence in report), but one to keep an eye on," said researcher Kevin Beaumont in a tweet.

Microsoft has not yet publicly confirmed the vulnerability highlighted in the AhnLab report to be a legitimate zero-day.

Patch Tuesday brings critical fixes

In total, Microsoft patched 96 vulnerabilities this week, notably including two zero-day vulnerabilities. Tracked as CVE-2022-41033 and CVE-2022-41043, these vulnerabilities pertain to the Windows COM+ Event System Service and Microsoft Office respectively.

Of the two, only CVE-2022-41043 has been actively exploited in the wild, which if successfully executed, can expose “user tokens and other potentially sensitive information” to threat actors. Despite no active exploitation being observed, experts have said that CVE-2022-41033 "should be at the top of everyone's list to quickly patch". 

"This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit," said Kev Breen, director of cyber threat research at Immersive Labs to IT Pro

"Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network."

Additionally, 13 critical vulnerabilities have been fixed in the patch. This includes  CVE-2022-37968, carrying the highest possible value on the CVSSv3.1 severity scale with a score of 10, which could be used to wrest administrative control over Azure Arc-enabled Kubernetes clusters.

"CVE-2022-37968, [a] connect elevation of privilege vulnerability, has a rare CVSS score of 10, said Mike Walters, VP of vulnerability and threat research at Action1.

"Successful exploitation of this vulnerability allows an unauthenticated user to elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster. If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11, and they are available from the internet, upgrade immediately."

Related Resource

Cyber security in manufacturing

The increasing cost of cyber crime means manufacturers need to adapt

Whitepaper cover with title and logoFree Download

Additionally, the patch covers a critical flaw in SharePoint servers that allowed for RCE (CVE-2022-41038), one in Windows CryptoAPI (CVE-2022-34689) that opened the possibility for identity spoofing and code signing, and seven critical vulnerabilities in the Windows point-to-point tunnelling protocol used for public virtual private network (VPN) tunnels.

The remaining 72 patches, one ranked as ‘moderate’ and the rest as ‘important’, cover a range of flaws including those found in Chromium Open Source, which powers Microsoft Edge, as well as elevation privilege vulnerabilities in Windows Kernel, a number of information disclosure vulnerabilities, and several denial of service vulnerabilities across several services.

All patches for the vulnerabilities in this October's Patch Tuesday updates are available to download through Microsoft's Update Catalog. 

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022
Microsoft issues emergency fixes for wide-reaching Kerberos issues
Software

Microsoft issues emergency fixes for wide-reaching Kerberos issues

21 Nov 2022
Microsoft targets optimised supply chain investments with new platform launch
Business operations

Microsoft targets optimised supply chain investments with new platform launch

16 Nov 2022
Microsoft says “it’s just too difficult” to effectively disrupt ransomware
Security

Microsoft says “it’s just too difficult” to effectively disrupt ransomware

4 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022