Nine new releases Weakness November has been a busy month for security teams, with high-risk scores on some widely used vendor products, a relatively high number of disclosed bugs affecting Microsoft, a zero-day in Google Chromium proving somewhat serious, and a resurgence showing a known Oracle vulnerability that Novelty isn’t necessarily a bonus for threat actors, according to a recent monthly analysis of researchers Recorded future.
Recorded Future, which has been running its own vulnerability round-up through its in-house Insect Group research op for several months, said November was a bumper month, especially for Microsoft, which released fixes. November 9 for a total of six zero-days.
Of these, it said, two vulnerabilities had the most impact on the Mark of the Web (MotW) security feature, which is supposed to be a safeguard to show that files downloaded from the Internet are safe, but bypassing them could easily trigger malicious code. .
Its researchers also flagged a remote code execution (RCE) and elevation of privilege (EoP) vulnerability in Microsoft Exchange servers that, if chained, constitute previously disclosed exploits. Known as ProxyNotShell.
“Given its dominance as an operating system for both individual users and corporate environments, Microsoft Windows is consistently the target of vulnerability exploits,” Insect Group researchers said, “but November 2022 will see a bumper crop of zero-day vulnerabilities associated with Microsoft Windows. A high-profile year. And it was surprising even with the often high number of zero-days.”
Meanwhile, Google’s team has patched CVE-2022-4135, an RCE zero-day in the Google Chrome web browser, after threat actors in the wild exploited it. This is the eighth Chrome zero-day found in 2022, and successfully exploiting it causes a heap buffer overflow in all three versions of Chrome.
Insect Group said that due to the widespread use of Chrome and Chrome-based browsers, this issue warrants close attention.
“Web browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also vulnerable to exploiting this flaw because they are Chromium-based, which means, ironically, that Google’s disclosure adds at least one more zero-day vulnerability to the list. That’s what Microsoft Defenders has to worry about,” they said.
Apart from this, another weakness of Google Chrome, Tracked as CVE-2022-4262Published and added to the US Cybersecurity and Infrastructure Security Agency (CISA). Known Exploited Vulnerabilities (KEV) catalog 2 December.
CVE-2022-4262 is a V8 type confusion vulnerability in the Chromium V8 engine, and Google said it was aware of exploits in the wild. It was fixed in an update rolled out last week, but its inclusion in the KEV catalog — a list of critical bugs that US government agencies are obligated to fix on a rolling monthly schedule — means it warrants immediate attention from corporate security teams.
Also present on the Recorded Futures list, and added to the KEV catalog within the last fortnight, is CVE-2022-35587, an RCE vulnerability in Oracle Fusion Middleware Access Manager that has been successfully exploited, allowing an unauthenticated actor with network access via HTTP to gain access the manager It carries a CVSS base score of 9.8 and is not difficult to exploit – and worse, It was initially released in January 2022But since then it has popped up again.
“The active exploit for the vulnerability follows the release of a proof-of-concept (POC) exploit for the vulnerability, which has been available for ‘several months,'” according to Safety week” said the Insect team.
In addition to the six Microsoft zero-days, and the others described above, the Insect team listed three other notable vulnerabilities from November that may not be as widespread, but will prove particularly useful to those they affect.
These are CVE-2022-38374 in Fortinet’s FortiADC web application authentication/authorization service, CVE-2022-39307 in Grafana’s data visualization platform, and CVE-2022-43781 in Atlassian’s Bitbasory code-source Git.
The team observed that both Atlassian and Fortinet have already seen critical vulnerability exploits in 2022 and noted that the Fortinet vulnerability in particular is “the type of vulnerability that is attractive to criminals or nation-state groups that want to compromise a key part of the network infrastructure”.