Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) | Throne Tech

Posted on

It is December 2022 Patch Tuesday, and Microsoft has delivered fixes for greater than 50 vulnerabilities, together with a Home windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to ship a wide range of malware.



CVE-2022-44698 impacts all variations of the Home windows working system beginning with Home windows 7 and Home windows Server 2008 R2.

“Vulnerability has low complexity. It makes use of the community vector and doesn’t require privilege escalation. Nevertheless, you want consumer interplay; attackers must trick the sufferer into visiting a malicious web site by phishing emails or different types of social engineering to use the safety characteristic bypass,” stated Mike Walters, vp of Vulnerability and Risk Analysis at Action1, a Assist Internet Safety.

“A risk actor can create a malicious file that will evade Mark of the Internet (MOTW) defenses, leading to a restricted lack of integrity and availability of safety features, which depend on MOTW tagging, for instance, ‘Protected View’ in Microsoft Workplace. . This zero-day has a reasonable CVSS threat rating of 5.4, as a result of it solely helps bypass Microsoft Defender’s SmartScreen protection mechanism, which has no RCE or DoS performance.”

Different vulnerabilities fastened within the observe

CVE-2022-41076 is a PowerShell RCE that may be triggered by attackers who don’t have elevated privileges, however should take further steps previous to exploitation to organize the goal setting.

“An authenticated attacker may escape PowerShell distant session settings and execute unapproved instructions on the goal system,” Microsoft defined. Since attackers typically abuse this scripting software, everybody ought to prioritize this answer.

Pattern Micro’s Dustin Childs additionally flagged CVE-2022-44713, a phishing vulnerability affecting Microsoft Outlook for Mac, as doubtlessly very harmful and very best for phishers.

“This vulnerability may enable an attacker to seem as a trusted consumer after they shouldn’t be. Now mix this with bypassing the SmartScreen Mark of the Internet and it isn’t arduous to get to a situation the place you obtain an e-mail that seems to be out of your boss with an attachment titled ‘Executive_Compensation.xlsx’. There aren’t many who would not open that file in that situation,” he famous.

SharePoint directors want to repair two RCEs (CVE-2022-44690 and CVE-2022-44693) that luckily require particular permissions and pre-exploit authentication.

Malicious drivers signed by Microsoft

In late October, Microsoft was alerted to the truth that drivers licensed by Microsoft’s Home windows {Hardware} Growth Program have been getting used maliciously in post-exploitation exercise associated to ransomware assaults (Cuba) .

“In these assaults, the attacker had already obtained administrative privileges on the compromised methods earlier than utilizing the drivers,” Microsoft famous.

Microsoft’s investigation into the matter has revealed that a number of developer accounts for the Microsoft Companion Middle have been submitting malicious drivers in an try to get Microsoft to signal them, so they may take away the EDR brokers on the focused endpoints.

“Now we have suspended associate vendor accounts and carried out crash detections to assist defend clients from this risk,” the corporate stated.

“Microsoft has launched Home windows safety updates that revoke the certificates of affected information and droop associate vendor accounts. As well as, Microsoft has carried out crash detections (Microsoft Defender 1.377.987.0 and newer) to assist defend clients from legitimately signed drivers which were misused in post-exploitation actions.”

Customers and directors are really helpful to put in the newest Home windows updates and be certain that their antivirus and endpoint detection merchandise are updated and enabled.

Following the discharge of those updates and the advisory, Mandiant, Sophos, and SentinelOne printed their analysis on this specific assault avenue.

“A number of totally different malware households, related to totally different risk actors, have been signed utilizing this course of,” the Mandiant researchers stated, noting that they “recognized a minimum of 9 distinctive group names related to attestation-signed malware.”

Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698)