Nine newly disclosed vulnerabilities with high risk scores in products from some of the most widely used vendors made November a busy month for security teams, with a relatively high number of disclosed bugs affecting Microsoft, zero day in Google Chromium proving somewhat serious business, and the reappearance of a known Oracle vulnerability demonstrated that novelty isn’t necessarily a bonus for threat actors, according to the latest monthly scans from researchers at Recorded Future.
Recorded Future, which has been conducting its own roundup of vulnerabilities through its internal research operation Insikt Group for several months, said November was a bumper month, especially for Microsoft, which released patches for a total of six. zero days. November 9.
Among these, he said, the most impactful were two vulnerabilities in the Mark of the Web (MotW) security feature, which is supposed to be a safeguard to show that files downloaded from the Internet are safe, but s ‘they are circumvented, they can easily lead to malicious code being triggered.
Its researchers also reported a remote code execution (RCE) and elevation of privilege (EoP) vulnerability in Microsoft Exchange Server that, when chained together, forms the previously disclosed exploit known as ProxyNotShell. .
“Given its dominance as an operating system for both individual users and enterprise environments, Microsoft Windows is consistently a target for exploiting vulnerabilities,” the Insikt group researchers said, “but the harvest outbreak of zero-day vulnerabilities associated with Microsoft Windows in November 2022 was surprising even in the midst of a high-profile and often high zero-day year.
Meanwhile, the Google team patched CVE-2022-4135, a zero-day RCE in the Google Chrome web browser, after finding threat actors exploiting it in the wild. This is Chrome’s eighth day zero to be discovered in 2022, and its successful exploitation causes a buffer overflow in three versions of Chrome.
The Insikt Group said that given the widespread use of Chrome and Chrome-based browsers, this issue deserves special attention.
“Web browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also vulnerable to exploits from this flaw because they are Chromium-based, which ironically means Google’s disclosure added at least one additional zero-day vulnerability. to the list of those Microsoft advocates need to worry about,” they said.
Additionally, another vulnerability in Google Chrome, identified as CVE-2022-4262, was disclosed and added to the US Cybersecurity and Infrastructure Security Agency (CISA) Catalog of Known Exploited Vulnerabilities (KEV) on December 2.
CVE-2022-4262 is a V8 Confusion Vulnerability in the Chromium V8 engine, and Google said it is aware of an exploit in the wild. It was fixed in an update rolled out last week, but its inclusion in the KEV Catalog – a list of important bugs that US government organizations are forced to fix on a rolling monthly schedule – means it deserves immediate attention. from corporate security teams.
Also appearing on Recorded Future’s list, and added to the KEV catalog within the last fortnight, is CVE-2022-35587, an RCE vulnerability in Oracle Fusion Middleware Access Manager which, when successfully exploited, allows an unauthenticated actor with network access via HTTP to take over Access Manager. This carries a CVSS Base Score of 9.8 and isn’t hard to mine – and worse, it was originally leaked in January 2022, but has since reappeared.
“The active exploitation of the vulnerability follows the disclosure of proof-of-concept (POC) exploits for the vulnerability, which have been available for ‘several months,’ according to SecurityWeek,” the Insikt team said.
In addition to Microsoft’s Six Zero Days and the others described above, the Insikt team has also listed three other notable November vulnerabilities that may not be as widespread, but will prove particularly impactful to those affected by them.
These are CVE-2022-38374 in Fortinet’s FortiADC web application authentication/authorization service, CVE-2022-39307 in Grafana’s data visualization platform, and CVE-2022-43781 in Atlassian’s BitBucket Git-based source code repository.
The team observed that both Atlassian and Fortinet have already seen the exploitation of critical vulnerabilities in 2022, and pointed out that the Fortinet vulnerability in particular “is the type of vulnerability that attracts criminals or nation-state groups seeking to compromise a key element of the network. Infrastructure”.
[ad_2]
