Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

Latest Windows patches fix two actively exploited zero-day security holes

The zero-day's patch addresses an actively exploited elevation of privilege vulnerability. Tracked as CVE-2023-21674, the vulnerability was given an 8.8 CVSSv3 rating and could be used to capitalise on an initial infection on a targeted host.

It's becoming the rule rather than the exception that Microsoft's Patch Tuesday security update brings bad news for Windows users in the form of actively exploited zero-day vulnerabilities. And good news that patches are available, of course. The November update does not disappoint in either regard, with no less than four new Windows zero-day attacks and fixes confirmed.

The latest Patch Tuesday security update provides security patches for no less than 68 vulnerabilities, of which 11 are rated as critical in nature. What's more, six are actively exploited zero-days; the additional two covering the Exchange Server CVE-2022-41040 and CVE-2022-41082 state-sponsored ProxyNotShell attacks I reported on last month. "It took Microsoft more than two months to provide the patch, even though the company admitted that ProxyNotShell actively exploited the vulnerabilities in targeted attacks against at least 10 large organizations," Mike Walters, vice president of vulnerability and threat research at Action1, says. "It is good news that an official patch is available now," Walters concludes, "installing it promptly is highly advisable."

A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.

This is the fourth actively exploited Chrome vulnerability that Google has patched this year. The company said recently that it has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, and many of them exist because previous flaws were not properly addressed.

The most significant development is that the updated Chrome addressed the critical zero-day flaw tracked as CVE-2022-1096 that was being actively exploited in the wild. More details about the flaw will be disclosed after a vast majority of the users have access to the update.

Trend Micro has fixed two actively exploited zero-day vulnerabilities in its Apex One and OfficeScan XG enterprise security products, and advises customers to update to the latest software versions as soon as possible.

Besides CVE-2022-41033, Microsoft also patched another zero-day bug tracked as CVE-2022-41043Opens a new window . It is an information disclosure vulnerability residing in Microsoft Office. The technical details for CVE-2022-41043 are publicly available though the vulnerability is not actively exploited.

A final actively-exploited zero-day is an important flaw that allows threat actors to bypass the Windows Mark of the Web security feature, which is meant to protect and warn end users when they download and/or open a file from an untrusted source. This will likely be an attractive target for social engineering campaigns, so we recommend patching within 24 hours.

Adobe has posted a security update for Adobe Acrobat and Reader addressing 2 critical and 2 moderate vulnerabilities. Earlier in the month, Mozilla released five security advisories, all marked as high impact, for Thunderbird, Firefox ESR, and Firefox 93. Also earlier in the month, Google released a new Chrome version to fix four vulnerabilities, including two zero-days being actively exploited in the wild.

Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting Phones and iPads. While Apple has not provided any details on how this vulnerability was used in attacks, they state that there are reports of it being actively used in attacks.

February is often thought of as the month of love, and Microsoft certainly showed us some love this month. They released a minimal 56 patches, with 11 being Critical. While the overall number of vulnerabilities fixed this month is relatively low, there is still cause for concern. CVE-2021-1732 is a locally exploited Windows Win32K elevation of privilege bug that is actively being exploited in the wild. It's also worth noting that all 11 of the Critical rated updates fix Remote Code Execution vulnerabilities.

Two zero-day vulnerabilities are fixed in this patch Tuesday, one of which is actively exploited. The actively exploited vulnerability, CVE-2022-44698, allowed attackers to craft malicious files that could bypass Windows SmartScreen security features, potentially allowing the installation of malware without triggering security warnings. The other zero-day vulnerability, CVE-2022-44710, was a DirectX Graphics Kernel Elevation of Privilege vulnerability that attackers could exploit to gain SYSTEM privileges.

While the number of vulnerabilities patched each month varies depending on the researcher, researchers agree that there are two zero-day bugs patched this month, one of which is being actively exploited. However, given the ratings and severity scores, there are a handful that IT admins and security professionals should prioritize.

Microsoft released patches to fix 68 vulnerabilities on November 2022 Patch Tuesday, 11 of which are rated critical with the remainder rated important. This round of patches includes fixes for six zero-day vulnerabilities that are being actively exploited in real-world attacks.

Microsoft Patch Tuesday for this month fixes a total of 84 vulnerabilities, including an actively exploited zero-day flaw. All the vulnerabilities are high-severity, with 13 critical ones that could lead to remote code execution, privilege escalation, or spoofing.

Unfortunately, Microsoft has not yet made security fixes for two actively exploited zero-day vulnerabilities identified as CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell.

Of the two zero-day vulnerabilities, one is actively exploited and the other publicly disclosed. They can be tracked as CVE-2022-44698 (Windows SmartScreen Security Feature Bypass Vulnerability) and CVE-2022-44710 (DirectX Graphics Kernel Elevation of Privilege Vulnerability)

Users of Windows increasingly may expect to get unfavorable information as actively exploited zero-day vulnerabilities whenever Microsoft releases its Patch Tuesday security update. This is becoming the norm rather than the exception. The availability of fixes is also a welcome piece of news, of course. With no less than four new Windows zero-day attacks and verified patches, the November update does not disappoint in any aspect. 2ff7e9595c