Microsoft Windows Sysmon Elevation of Privilege Vulnerability.

CVE-2022-41120

Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41106.

CVE-2022-41063

Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41047.

CVE-2022-41048

Microsoft ODBC Driver Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41048.

CVE-2022-41047

Microsoft Business Central Information Disclosure Vulnerability.

CVE-2022-41066

Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41063.

CVE-2022-41106

By Deeba Ahmed
Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed!
This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

It is no surprise that Microsoft’s products are on the hit list of cyber attacks, given the steadily increasing number of **zero-day attacks against them**. It is the second time in two months that the reputed software maker has released patches to fix already exploited zero-days in its scheduled Patch Tuesday update. The company urged Windows Administrators to install the updates urgently.

 The details of these flaws and the subsequent fixes are as follows:

**Microsoft Fixes Crucial Flaws in Patch Tuesday Update**

According to the tech giant, in its monthly security update, Patch Tuesday, the company has released patches for 68 vulnerabilities, including six unique, actively exploited zero-days. These flaws were flagged in the Exploitation Category. This includes two fixes for **Exchange Server security flaws** that a state-sponsored entity exploited for several months.

Twelve flaws were marked Critical, two of which were rated High, whereas fifty-five were rated Important in severity. The company also released patches for weaknesses fixed the previous week by **OpenSSL**.

Microsoft separately fixed another actively exploited vulnerability, **CVE-2022-3723**. It was detected in Chromium-based browsers.

**Zero-Days Details**

Microsoft’s security response team described four new and already exploited zero-days tracked as **CVE-2022-41125**, **CVE-2022-41073**, **CVE-2022-41091**, and **CVE-2022-41128**.

The CVE-2022-41128 was detected by Google TAG’s Benoît Sevens and Clément Lecigne, found in the Jscript9 component. It occurred when the target was lured to visit a malicious website.

The CVE-2022-41091 is a security bypass flaw in Windows MoTW (Mark of the Web), which was recently discovered to be weaponized by the **Magniber ransomware** actor, and users were targeted with fake software updates. A malicious file could help the attacker evade MoTW defenses that lead to loss of integrity and security features like MS Office’s Protected View, **Microsoft’s advisory read**.

**Microsoft Exchange Server Vulnerabilities**

In addition, they also patched two Microsoft Exchange server flaws tracked as **CVE-2022-41040 and CVE-2022-41082**. These exploits were used for privilege escalation, RCE (remote code execution), and feature bypassing.

The first four flaws impacted the Windows CNG Key Isolation Service, the Windows Print Spooler, Windows Mark of the Web Security, and Windows Scripting Languages. The other two flaws that **affected Exchange Server** entailed an RCE, and a privilege escalation bug, which was actually part of an extended exploit chain that Microsoft believes was exploited by a state-sponsored threat actor.

According to Microsoft, due to security issues, at least ten organizations have been targeted. Both flaws are documented as SSRF (server-side request forgery) issues.

**Critical Vulnerabilities Fixed in November**

Other Critical-rated vulnerabilities were privilege escalation flaws discovered in Windows Kerberos RC4-HMAC (**CVE-2022-37966**), Kerberos (**CVE-2022-37967**), and Microsoft Exchange Server (**CVE-2022-41080**). Moreover, a denial-of-service flaw was also fixed that impacted Windows Hyper-V (**CVE-2022-38015**).

1.  **Chinese Hackers Hiding Malware in Windows Logo**
2.  **Hackers Abusing Microsoft Dynamics 365 Customer Voice**
3.  **Microsoft Office Most Exploited Software in Malware Attacks**
4.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
5.  **Scammers Leveraging Microsoft Team GIFs in Phishing Attacks**

Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

An out-of-bounds write vulnerability exists in the PICT parsing pctwread_14841 functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-32588: TALOS-2022-1544 || Cisco Talos Intelligence Group

In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

2021-08-11 09:59 (CEST) VDE-2021-035  

**PHOENIX CONTACT: FL MGUARD DM version 1.12.0 and 1.13.0 Improper Privilege Management**  
Share: Email | Twitter  

**Published**

2021-08-11 09:59 (CEST)

**Last update**

2021-08-11 09:59 (CEST)

**Vendor(s)**

PHOENIX CONTACT GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

2981974

FL MGUARD DM

\= 1.12.0

2981974

FL MGUARD DM

\= 1.13.0

**Summary**

Access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.

**CVE ID**

**Severity**

**Weakness**

Improper Privilege Management  (CWE-269) 

**Summary**

In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

**Source**

**Impact**

Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.

**Solution**

*   Stop the ApacheMDM Windows service.
*   Edit file <mdm>/apache/conf/extra/httpd-mdm.conf and remove the instances of these lines for “DocumentRoot” and alias “/atv”:

    # Controls who can get stuff from this server.

<mdm> refers to the directory in which FL MGUARD DM is installed.

*   Start the ApacheMDM Windows service.

**Remediation**  
This vulnerability is fixed in FL MGUARD DM 1.13.0.1. We advise all affected FL MGUARD DM 1.12.0 and 1.13.0 users to upgrade to FL MGUARD DM 1.13.0.1 or a later version.  
Additional recommendations:

*   Limit network access to the Apache web server to as few network addresses as possible.
*   If possible, make use of encrypted mGuard configuration profiles.

**Reported by**

We kindly appreciate the coordinated disclosure of this vulnerability by the finder.

PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.

CVE-2021-34579: VDE-2021-035 | CERT@VDE

The Swiss Army knife-like browser extension is heaven for attackers — and can be hell for enterprise users.

A malicious browser extension that works on both Google Chrome and Microsoft Edge allows attackers to remotely take over someone's browser session and carry out a full range of attacks. It's built to steal cookies and other info, mine cryptocurrency, install malware, or take over the entire device for use in a distributed denial-of-service (DDoS) attack — among other things.  

Thanks to this multitool approach, the Cloud9 botnet basically acts like a remote access Trojan (RAT) for the Chromium browser, which is the framework for Chrome, Edge, and some other browsers, researchers at Zimperium zLabs revealed in a blog post Nov. 8.

The malware is comprised of three JavaScript files and has been active since as far back as 2017, with an update in 2020 that proliferated as a single JavaScript that can be included on any website using script tags, researchers said.

Researchers have linked Cloud9 to the Keksec malware group due to the activity of its command-and-control servers (C2s), which point to domains previously used by the gang. The well-resourced group — known for creating various botnets-for-hire — was seen in June weaponizing a Linux botnet called EnemyBot against vulnerabilities in enterprise services. In Cloud9's case, it's likely being sold "for a few hundred dollars" or offered for free to other groups on various hacker forums, researchers said.

"As it is quite trivial to use and available for free, it can be used by many malware groups or individuals for specific purposes," Zimperium zLabs malware analyst Nipun Gupta wrote in the post.

**Enterprise Users at Risk**

The malware offers a veritable buffet of nefarious activity, "purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta wrote. This includes enterprise users, where the botnet can be used to infiltrate a user's machine to propagate further malicious activity.

That said, "the Cloud9 malware does not target any specific group, meaning it is as much an enterprise threat as it is a consumer threat," Gupta wrote. "It is quite clear that this malware group is targeting all browsers and operating systems and thus trying to increase their attack surface."

Core capabilities of Cloud9 include: the ability to send GET/POST requests, which can be used to fetch malicious resources; cookie stealing to compromise user sessions; keylogging for nabbing passwords and other info; and the ability to launch a Layer 4/Layer 7 hybrid attack, which can be used to perform DDoS attacks from victims' machines.

Cloud9 also can detect a user's OS and/or browser to deliver next-stage payloads; inject ads by opening 'pop-unders'; execute JavaScript code from other sources for further malicious code delivery; silently load web pages for ad or malicious-code injection; mine cryptocurrency using the browser or the victim's device resources; or send a browser exploit to inject malicious code and take complete control of the device.

**Browser Escape and a Multifaceted Attack**

Researchers walked through an example of a Cloud9 attack on a Chrome browser, outlining several steps that ultimately perform a slew of nefarious tasks — including mining cryptocurrency from a victim's machine, stealing cookies and clipboard data, and even using exploits to "escape" the browser and execute malware on the victim's device.

The main functionality of the extension is available in a file named campaign.js, JavaScript that also can be used as a standalone and thus can redirect victims to a malicious website that contains the campaign.js script.

The campaign.js starts by identifying the victim's OS and then injects a JavaScript file that mines cryptocurrency using the victim's computer resources, both diminishing the performance of the device while reducing hardware lifespan and increasing energy usage — "which translates into a slow but steady monetary loss," Gupta noted.

Cloud9 then injects another script named cthulhu.js that contains a full-chain exploit for two vulnerabilities — CVE-2019-11708 and CVE-2019-98100 — that target Firefox on a 64-bit Windows OS. Upon successful exploitation, it drops Windows-based malware on the device, enabling the threat actor to take over the entire system.

Researchers also witnessed Cloud9 using other browser exploits for Internet Explorer (CVE-2014-6332, CVE-2016-0189) and Edge (CVE-2016-7200 that, if successful, gives the attacker the same user rights as the current user and can execute code on the victim's device accordingly. Further, if the user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, researchers said.

Cloud9 also can use its ability to send POST requests to any domain to carry out Layer 7 DDoS attacks if the attacker has a significant number of victims connected as botnets. In fact, true to its reputation, Keksec likely is selling the extension to provide a botnet service to perform DDoS, Gupta noted.

**Protecting the Enterprise**

Because of the broad capabilities of Cloud9 and the wide attack surface it can generate, enterprise customers should be on alert, researchers said. Indeed, traditional endpoint security solutions don't typically monitor this type of attack vector, which leaves browsers "susceptible and vulnerable," Gupta observed.

It's unclear how Cloud9 is being spread, but so far, Zimperium zLabs has seen no evidence of the malicious extension on the Google Play Store or any other legitimate mobile app shop. For this reason, enterprises should train users on the risks associated with browser extensions that they encounter outside of official repositories, he said. They also should consider what security controls they have in place for such risks in their security posture overall.

Tag

#microsoft