Important Security Alert: Issue Found in React (Common Website Technology)
A serious security fault has been discovered in a piece of software called React, which many websites and online services use behind the scenes. This…
Microsoft Patch Tuesday Fixes Nine Critical Vulnerabilities
Microsoft’s November Patch Tuesday addresses 62 vulnerabilities, nine of which are critical. Six of the vulnerabilities are actively exploited zero-days, which includes two used in ProxyNotShell attacks (CVE-2022-41082 and CVE-2022-41040) affecting on-premise Microsoft Exchange Servers.
The other four actively exploited vulnerabilities include:
- CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability allows for an attacker to craft a malicious file that would evade Mark of the Web defences. The hacker could use a malicious website or a specially crafted .url file to exploit the bypass. The vulnerability requires the user to take action, such as clicking on a link or malicious attachment within a phishing email.
- CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability impacts the Jscript9 scripting language. It allows for an attacker hosting a specially crafted server share or website to execute code remotely, providing they can convince a user to visit the server share or website, possibly through phishing emails or chat messages.
- CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability allows an attacker to gain system privileges if successfully exploited.
- CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability also allows an attacker to gain system privileges if successfully exploited.
Microsoft is urging administrators to patch systems as soon as possible, as threat actors are actively exploiting several of these vulnerabilities.
Microsoft has published a security update guide for this month’s Patch Tuesday, which includes technical descriptions of all vulnerabilities fixed.
Related Links:
https://www.tenable.com/blog/microsofts-november-2022-patch-tuesday-addresses-62-cves-cve-2022-41073 -Published 8th November
https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov – Published 8th November
Related articles
Microsoft SharePoint Attacks: What Your Business Needs to Know
A new wave of cyber attacks targeting Microsoft SharePoint has left many businesses exposed, according to multiple threat reports this week. Attackers are actively exploiting…
Microsoft 365: Legacy Authentication Protocols Security Update
Starting in mid-July 2025, Microsoft will begin automatically blocking legacy authentication protocols in Microsoft 365, with full enforcement expected by August 2025. This update addresses…