Microsoft releases patches for 68 vulnerabilities, including ‘ProxyNotShell’ zero-days

Microsoft on Tuesday released fixes for 68 vulnerabilities – 11 of them critical – including two zero days known together as “ProxyNotShell”.

Cybersecurity experts told The Record many of the vulnerabilities are currently being exploited in the wild by hackers. According to Spurti Preetham Gurram, senior product manager at Automox, the "ProxyNotShell" vulnerabilities are being actively exploited by Chinese threat actors.

Satnam Narang, senior staff research engineer at Tenable, noted that it has been over a month since the vulnerabilities were disclosed.

One notable fix, he said, was for a vulnerability – CVE-2022-41073 – affecting the Print Spooler service.

The service has long had issues, most notably with the vulnerabilities PrintNightmare, PrintDemon, FaxHell, Evil Printer, and CVE-2020-1337. One of the Print Spooler zero days was used in the highly sophisticated nation-state Stuxnet attack.

“Despite there being several Print Spooler related vulnerabilities disclosed by security researchers since last year, it appears that CVE-2022-41073 is the first Print Spooler vulnerability post PrintNightmare that was first exploited in the wild by attackers,” Narang said.

“We’ve long warned that once Pandora's box was open with PrintNightmare, that flaws within Windows Print Spooler would come back to haunt organizations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution.”

The Patch Tuesday release also included fixes for CVE-2022-41091, which was recently exploited in the wild by the Magniber ransomware group, according to researchers at HP. The bug affects the Windows Mark of the Web (MoTW) – a feature Narang said is designed to flag files that have been downloaded from the internet.  

Peter Pflaster, a security researcher at Automox, said the vulnerability was discovered and reported in July 2022. The feature is important, according to Pflaster, because it provides some protection and warning to end users downloading files from untrusted sources. 

Bharat Jogi, director of vulnerability and threat research at Qualys, said that six of the bugs that were  patched on Tuesday are being exploited in the wild. He added that security teams need to be on high alert as the holiday season approaches due to an annual ramp up in activity – citing previous situations like Log4j and SolarWinds. 

“It is likely we will see bad actors attempting to take advantage of disclosed zero days and vulnerabilities released that organizations have left unpatched,” Jogi said. 

Automox's Gina Geisel said CVE-2022-41125 stood out to her from the batch because it impacts a long list of services, including Windows 10 and 11, Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure. 

The bug does not require any user interaction, instead allowing attackers to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability.

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-41091, CVE-2022-41073, CVE-2022-41125 and CVE-2022-41128 to its catalog of known exploited vulnerabilities, giving federal civilian agencies until November 29 to patch all four bugs.