Microsoft’s October 2022 Patch Tuesday consists of safety updates that repair properly over 80 vulnerabilities in additional than 50 totally different elements of its product vary – however the ProxyNotShell flaws in Exchange Server that have been reported last month usually are not on the checklist.
Key vulnerabilities patched embrace CVE-2022-41033, a zero-day flaw within the Windows COM+ Event System Service that’s being actively exploited and might present an attacker with system privileges; and CVE-2022-34689, a Windows CryptoAPI flaw reported by the U.Ok. National Cyber Security Centre (NCSC) and the U.S. National Security Agency (NSA) that might allow an attacker to govern an X.509 certificates to spoof their identification.
SANS dean of analysis Johannes B. Ullrich famous in an analysis of the updates that essentially the most extreme of the issues is CVE-2022-37968, an elevation of privilege vulnerability affecting the cluster join function of Azure Arc-enabled Kubernetes clusters, which was given a CVSS rating of 10.0. The flaw might present an attacker with administrative management over a Kubernetes cluster.
Still, Sophos researchers Angela Gunn and Matt Wixey noted that even an apparently innocuous vulnerability like CVE-2022-38022, which solely permits an attacker to delete an empty folder on a file system, serves as “a reminder that in a world of chained assaults, a tiny flaw comparable to this needs to be patched as a result of it may be a part of an even bigger assault sequence.”
ProxyNotShell Not Quelled
Notably, the updates don’t embrace any patches for ProxyNotShell, the pair of zero-day distant code execution flaws in Microsoft Exchange Server that have been uncovered final month by the Vietnamese safety agency GTSC.
Microsoft highlighted that reality in a blog post detailing Exchange Server safety updates, writing, “The October 2022 SUs don’t comprise fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to use mitigations for these vulnerabilities. We will launch updates for CVE-2022-41040 and CVE-2022-41082 when they’re prepared.”
Qualys safety researcher Ankit Malhotra urged Microsoft is “doubtless attempting to be further cautious, not eager to rush into releasing incomplete patches. It’s price noting that Microsoft has needed to revise the mitigation for CVE-2022-41040 greater than as soon as because the beneficial URL rewrite mitigation was bypassed a number of occasions.”
Malhotra mentioned ProxyNotShell will doubtless see elevated exploitation, since Exchange Server is a very enticing goal for 2 key causes. “First, Exchange is an electronic mail server so it should be related on to the web,” he mentioned. “And being immediately related to the web creates an assault floor which is accessible from anyplace on the planet, drastically growing its danger of being attacked. Secondly, Exchange is a mission crucial operate – organizations can’t simply unplug or flip off electronic mail with out severely impacting their enterprise in a unfavourable manner.”
Active Directory Changes
As Microsoft Active Directory senior program supervisor Cliff Fisher noted on Twitter, the corporate additionally made important modifications to Active Directory environments, together with the flexibility to lock out admin accounts after a sure variety of incorrect password makes an attempt with the intention to mitigate brute power assaults.
The new coverage might be discovered beneath Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout Policies. Microsoft’s baseline advice is to set them to 10/10/10, which means an account could be locked out after 10 failed makes an attempt inside 10 minutes, and the lockout would final for 10 minutes.
To enhance password safety, native administrator account passwords on new machines may also be required to have no less than three of the 4 primary character sorts (decrease case, higher case, numbers, and symbols) – although if you wish to use a much less advanced password, that may be modified at Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy.