Microsoft has rolled out November 2022 Patch Tuesday security updates that address multiple vulnerabilities in a wide range of its software products, including two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell said to have been exploited by hackers since at least September 2022.
One of the flaws (CVE-2022-41082) is a code injection issue that allows a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems, while the second bug (CVE-2022-41040) allows a remote attacker to perform SSRF attacks. A China-linked threat group have been observed exploiting the vulnerabilities to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
Besides ProxyNotShell, the vendor has fixed four new exploited zero-day vulnerabilities: CVE-2022-41125 (Privilege escalation in Microsoft Windows CNG Key Isolation Service), CVE-2022-41073 (rrivilege escalation in Microsoft Windows Print Spooler service), CVE-2022-41091 (security features bypass in Microsoft Windows Mark of the Web), and CVE-2022-41128 (remote code execution in Microsoft Windows Scripting Languages).
This month’s Patch Tuesday also includes fixes for a number of high-risk flaws affecting Microsoft Netlogon RPC, Microsoft Azure, Microsoft Excel and Office Graphics, as well as Microsoft Visual Studio.
