Multiple vulnerabilities in Microsoft Windows Mark of the Web



| Updated: 2022-11-14
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-41091
CVE-2022-41049
CWE-ID CWE-254
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #2 is being exploited in the wild.
Vulnerable software
Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated: 09.11.2022

Updated vulnerability #VU69147 (CVE-2022-41091) to reflect its in-the-wild exploitation. This vulnerability is considered a zero-day.

1) Security features bypass

EUVDB-ID: #VU69147

Risk: High

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-41091

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to security features bypass in Windows Mark of the Web functionality. A remote attacker can trick a victim to open a specially crafted file and bypass Protected View in Microsoft Office, as demonstrated using a specially crafted ZIP archive.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10 Mobile - 11

Windows Server: 2016 10.0.14393.10 - 2022 20H2

CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41091
http://twitter.com/wdormann/status/1590044005395357697
http://twitter.com/wdormann/status/1544416883419619333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Security features bypass

EUVDB-ID: #VU69148

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:H/RL:O/RC:C]

CVE-ID: CVE-2022-41049

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to security features bypass in Windows Mark of the Web. A remote attacker can trick a victim to open a specially crafted file and cause security feature bypass.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 10 Mobile - 11

Windows Server: 2016 10.0.14393.10 - 2022 20H2

CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41049


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###