Another month, one other Microsoft Patch Tuesday, one other 48 patches, one other two zero-days…
…and an astonishing story a couple of bunch of rogue actors who tricked Microsoft itself into giving their malicious code an official digital seal of approval.
For a risk researcher’s view of the Patch Tuesday fixes for December 2002, please seek the advice of the Sophos X-Ops writeup on our sister web site Sophos News:
For a deep dive into the saga of the signed malware, found and reported not too long ago by Sophos Rapid Response consultants who have been referred to as into cope with the aftermath of a profitable assault:
And for a high-level overview of the large points this month, simply hold studying right here…
Two zero-day holes patched
Fortunately, neither of those bugs will be exploited for what’s often called RCE (distant code execution), in order that they don’t give outdoors attackers a direct route into your community.
Nevertheless, they’re each bugs that make issues simpler for cybercriminals by offering methods for them to sidestep safety protections that may often cease them of their tracks:
CVE-2022-44710: DirectX Graphics Kernel Elevation of Privilege Vulnerability
An exploit permitting a neighborhood consumer to abuse this bug has apparently been publicly disclosed.
As far as we’re conscious, nonetheless, the bug applies solely to the very newest builds (2022H2) of Windows 11.
Kernel-level EoP (elevation-of-privilege) bugs enable common customers to “promote” themselves to system-level powers, probably turning a difficult however maybe restricted cybercrime intrusion into an entire laptop compromise.
CVE-2022-44698: Windows SmartScreen Security Feature Bypass Vulnerability
This bug can also be recognized to have been expoited within the wild.
An attacker with malicious content material that may usually provoke a safety alert may bypass that notification and thus infect even well-informed customers with out warning.
Bugs to observe
And listed here are three attention-grabbing bugs that weren’t 0-days, however that crooks might be interested by digging into, within the hope of determining methods to assault anybody who’s sluggish at patching.
Remember that patches themselves typically unavoidably give attackers clear hints on the place to begin wanting, and what kind of issues to to search for.
This type of “work backwards to the attack” scrutiny can result in what are recognized within the jargon as N-day exploits, that means assaults that come out rapidly sufficient that they nonetheless catch many individuals out, regardless that the exploits arrived after patches have been accessible.
CVE-2022-44666: Windows Contacts Remote Code Execution Vulnerability
According to Sophos X-Ops researchers, opening a booby-trapped contact file may do greater than merely import a brand new merchandise into your Contacts record.
With the flawed type of content material in a file that feels (within the phrases of Douglas Adams) as if it should be “mostly harmless”, an attacker may trick you into operating untrusted code as a substitute.
CVE-2022-44690 and CVE-2022-44693: Microsoft SharePoint Server Remote Code Execution Vulnerabilities
Fortunately, this bug doesn’t open up your SharePoint server to simply anybody, however any current consumer in your community who has a SharePoint logon plus “ManageList” permissions may do rather more than merely handle SharePoint lists.
Via this vulnerability, they might run code of their alternative in your SharePoint server as nicely.
CVE-2022-41076: PowerShell Remote Code Execution Vulnerability
Authorised customers who’re logged on to the community will be given entry, through the PowerShell Remoting system, to execute some (however not essentially all) PowerShell instructions on different computer systems, together with shoppers and servers.
By exploiting this vulnerability, it appears that evidently PowerShell Remoting customers can bypass the safety restrictions which can be supposed to use to them, and run distant instructions that ought to be off limits.
The signed driver saga
And final, however in no way least, there’s an enchanting new Microsoft safety advisory to accompany this month’s Patch Tuesday:
ADV220005: Guidance on Microsoft Signed Drivers Being Used Maliciously
Astonishingly, this advisory means simply what it says.
Sophos Rapid Reponse consultants, together with researchers from two different cybersecurity corporations, have not too long ago discovered and reported real-world assaults involving malware samples that have been digitally signed by Microsoft itself.
As Microsoft explains:
Microsoft was not too long ago knowledgeable that drivers licensed by Microsoft’s Windows Hardware Developer Program have been getting used maliciously in post-exploitation exercise. […] This investigation revealed that a number of developer accounts for the Microsoft Partner Center have been engaged in submitting malicious drivers to acquire a Microsoft signature.
In different phrases, rogue coders managed to trick Microsoft into signing malicious kernel drivers, that means that the assaults investigated by Sophos Rapid Response concerned cybercriminals who already had a sure-fire option to get kernel-level powers on computer systems they’d invaded…
…without having any further vulnerabilities, exploits or different trickery.
They may merely set up an apparently official kernel driver, with Microsoft’s personal imprimatur, and Windows, by design, would robotically belief it and cargo it.
Fortunately, these rogue coders have now been kicked out of the Microsoft Developer Program, and the recognized rogue drivers have been blocklisted by Microsoft so they may not work.
For a deep dive into this dramatic story, together with an outline of what the criminals have been in a position to obtain with this type of “officially endorsed” superpower (primarily, terminate safety software program in opposition to its will from contained in the working system itself), please learn the Sophos X-Ops evaluation: