Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.
The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.
Cryptographically signing malware is

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.

The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.

Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.

The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

According to an analysis from Sophos threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What's more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.

"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Sophos researchers Andreas Klopsch and Andrew Brandt said. "Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance."

Google-owned Mandiant, in a coordinate disclosure, said it observed a financially motivated threat group known as UNC3944 employing a loader named STONESTOP to install a malicious driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files.

Stating that it has "continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware," the threat intelligence and incident response firm noted that "several distinct malware families, associated with distinct threat actors, have been signed with this process."

This has given rise to the possibility that these hacking groups could be leveraging a criminal service for code signing (i.e., malicious driver signing as a service), wherein the provider gets the malware artifacts signed through Microsoft's attestation process on behalf of the actors.

STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.

Microsoft has since revoked the certificates for impacted files and suspended the partners' seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.

This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

It's not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.

The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.

Microsoft, in late October, said it's enabling the vulnerable driver blocklist (DriverSiPolicy.p7b) by default for all devices with Windows 11 2022 update, alongside validating that it's the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.

"Code signing mechanisms are an important feature in modern operating systems," SentinelOne said. "The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products.
Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.

Patch Management / Vulnerability

Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products.

Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.

December's Patch Tuesday plugs two zero-day vulnerabilities, one that's actively exploited and another issue that's listed as publicly disclosed at the time of release.

The former relates to CVE-2022-44698 (CVSS score: 5.4), one of the three security bypass issues in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections.

It's worth noting that this issue, in conjunction with CVE-2022-41091 (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP archives.

"It allows attackers to craft documents that won't get tagged with Microsoft's 'Mark of the Web' despite being downloaded from untrusted sites," Rapid7's Greg Wiseman said. "This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros."

Publicly disclosed, but not seen actively exploited, is CVE-2022-44710 (CVSS score: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that could enable an adversary to gain SYSTEM privileges.

"Successful exploitation of this vulnerability requires an attacker to win a race condition," Microsoft pointed out in an advisory.

Also patched by Microsoft are multiple remote code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Windows Secure Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.

Furthermore, the update also resolves 11 remote code execution vulnerabilities in Microsoft Office Graphics, OneNote, and Visio, all of which are rated 7.8 in the CVSS scoring system.

Two of the 19 elevation of privilege flaws remediated this month comprises fixes for the Windows Print Spooler component (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), continuing a steady stream of patches released by the company over the past year.

Last but not least, Microsoft has assigned the "Exploitation More Likely" tag to the PowerShell remote code execution vulnerability (CVE-2022-41076, CVSS score: 8.5) and Windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS score: 7.8), making it essential that users apply updates to mitigate potential threats.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past two weeks to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Apple
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Trend Micro, and
*   VMware

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft and More

The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems.
The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and

Application Security / Zero-Day

The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems.

The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control.

Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP).

The following supported versions of Citrix ADC and Citrix Gateway are affected by the vulnerability -

*   Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
*   Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
*   Citrix ADC 12.1-FIPS before 12.1-55.291
*   Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available "beyond disabling SAML authentication or upgrading to a current build."

The virtualization services provider said it's aware of a "small number of targeted attacks in the wild" using the flaw, urging customers to apply the latest patch to unmitigated systems.

APT5, also known as Bronze Fleetwood, Keyhole Panda, Manganese, and UNC2630, is believed to operate on behalf of Chinese interests. Last year, Mandiant revealed espionage activity targeting verticals that aligned with government priorities outlined in China's 14th Five-Year Plan.

Those attacks entailed the abuse of a then-disclosed flaw in Pulse Secure VPN devices (CVE-2021-22893, CVSS score: 10.0) to deploy malicious web shells and exfiltrate valuable information from enterprise networks.

"APT5 has demonstrated capabilities against Citrix Application Delivery Controller deployments," NSA said. "Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls."

Microsoft, last month, pointed out Chinese threat actors' history of discovering and using zero days to their advantage before being picked up by other adversarial collectives in the wild.

News of the Citrix bug also comes a day after Fortinet revealed a severe vulnerability that also facilitates remote code execution in FortiOS SSL-VPN devices (CVE-2022-42475, CVSS score: 9.3).

**VMWare releases updates for code execution vulnerabilities**

In a related development, VMware disclosed details of two critical flaws impacting ESXi, Fusion, Workstation, and vRealize Network Insight (vRNI) that could result in command injection and code execution.

*   **CVE-2022-31702** (CVSS score: 9.8) - Command injection vulnerability in vRNI
*   **CVE-2022-31703** (CVSS score: 7.5) - Directory traversal vulnerability in vRNI
*   **CVE-2022-31705** (CVSS score: 5.9/9.3) - Heap out-of-bounds write vulnerability in EHCI controller

"On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed," the company said in a security bulletin for CVE-2022-31705.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.
Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.

Tracked as **CVE-2022-42856**, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.

The company said it's "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

While details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser.

It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to use the WebKit rendering engine due to restrictions imposed by Apple.

Credited with discovering and reporting the issue is Clément Lecigne of Google's Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.

The update, which is available with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the same bug in iOS 16.1.2 on November 30, 2022.

The fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022 -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22594** (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32893** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-32894** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-32917** (Kernel) – An application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-42827** (Kernel) – An application may be able to execute arbitrary code with kernel privileges

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to ‌iCloud‌ Backup, Notes, Photos, and more.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

The company has taken measures to mitigate the risks, but security researchers warn of a broader threat.

Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target's systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co. 

“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” the company said in a security advisory today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”

Sophos notified Microsoft about the activity on October 19 along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company adds that it hasn't identified any compromise of its systems beyond the partner account abuse.

Microsoft declined WIRED's request to comment beyond the advisory.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent," says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question."

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware. 

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and providing these certificates or signing services has proven a lucrative niche in the underground economy.”

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos' Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”

With so many compromised certificates flying around, it seems that many attackers have already gotten the memo about shifting toward this strategy.

Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2022-44708

Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability.

CVE-2022-41115

Microsoft Windows System Monitor (Sysmon) Elevation of Privilege Vulnerability

CVE-2022-44704

Microsoft Office Graphics Remote Code Execution Vulnerability

Tag

#microsoft