microsoft – Friki Linux

Microsoft Patch Tuesday, March 2023 Edition

Posted on 2023-03-15 by Kernel

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.

The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.

While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.

Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”

“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”

Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.

The other zero-day flaw being actively exploited in the wild — CVE-2023-24800 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.

Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24800 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.

“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.

Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.

Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

How To Install Microsoft Office On Linux 2023

Posted on 2023-02-15 by Kernel

Last Updated on February 16, 2023 by itsubuntu

How To Install Microsoft Office On Linux

Microsoft Office is one of the most popular office package software right now in the world. In this tutorial, we will show you the method to install Microsoft Office on Linux based operating system.

How To Install Microsoft Office On Linux In 2023

We will take the help of the PlayOnLinux app to install Microsoft Office on Linux. It is one of the simplest ways to install Microsoft Office on Ubuntu.

Run the following command to install PlayOnLinux app on Linux.

Install PlayOnLinux On Linux

First, Run the following command to install winbind on Linux before installing PlayOnLinux.

sudo apt install winbind

Next, install PlayOnLinux on Linux.

sudo apt install playonlinux

You can also install PlayOnLinux via Ubuntu Software. After installing PlayOnLinux, launch PlayOnLinux from Menu > Applications.
Now, search Microsoft Office from the Office tab, then either use the search field or browse the list.

Install Microsoft Office on Ubuntu With PlayOnLinux

Click Next to proceed with the installation. Once complete, You’ll be able to run Microsoft Office from the desktop without loading PlayOnLinux.

Run Microsoft Office In A Browser On Linux

In this method, You don’t need to install Office as you can easily run it via any Internet Browser. You can easily access Word, Excel, PowerPoint, and Outlook via your browser and Microsoft account. You just need to open any internet browser and visit office.live.com.

Microsoft Patch Tuesday, February 2023 Edition

Posted on 2023-02-14 by Kernel

Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.

Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.

“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”

The zero-day CVE-2023-21715 is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”

“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”

The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the Microsoft Windows Graphic component. Researchers at cybersecurity forensics firm Mandiant were credited with reporting the bug.

Kevin Breen, director of cyber threat research at Immersive Labs, pointed out that the security bulletin for CVE-2023-21823 specifically calls out OneNote as being a vulnerable component for the vulnerability.

“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”

Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of Microsoft Outlook. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.

Microsoft also has more valentines for organizations that rely on Microsoft Exchange Server to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.

Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.

Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ullrich at the SANS Internet Storm Center notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.

“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.

On a lighter note (hopefully), Microsoft drove the final nail in the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update.

“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, January 2023 Edition

Posted on 2023-01-10 by Kernel

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Best Microsoft Teams Alternatives For Linux In 2023

Posted on 2023-01-04 by Kernel

Best Microsoft Teams Alternatives For Linux In 2023

Microsoft Teams is one of the best collaboration tools available in the market. It is developed by Microsoft. It is used for team messaging, video conferencing, meetings, and collaboration.

Meanwhile, if you are a Linux user and want to use Microsoft Teams in your Linux environment then we have some good news for you as we have collected the list of best Microsoft Teams alternatives for Linux in 2023.

Best Microsoft Teams Alternatives For Linux In 2023

1. Wire

Wire is a secure and popular open-source collaboration software. It is a cross-platform alternative to Microsoft Teams. Developed in Electron, it does everything that you want to do with Microsoft Teams.

Features:

You can easily do high-definition group calls.

End-to-end chat encryption f

2. Element – Secure Collaboration and Messaging App

Element is another advanced and secure team messaging app for Linux. Based on the Matrix platform, It can be the best Microsoft Teams alternative for Linux in 2023.

3. Zoom – Video Conferencing Platform

Zoom took the internet by storm in 2020. Thanks to the lockdown imposed due to Covid-19 as it was one of the best choices for the individuals and the organizations for the meeting and the group conference. Zoom is a feature-rich collaboration tool that is posing a serious threat to big names like Microsoft Team, Skype, Google Meet, and other tools. Zoom is compatible with 1,000 programs compatible with the video conferencing app.

Zoom is no doubt the best alternative to Microsft Teams for Linux-based operating systems in 2023.

Zoom Features:

Free Instant messaging and video conferencing feature.
Free collaboration plan.
Connection with 1,000+ apps.
Record option for recording and saving so you can review later.
You can set your preferred virtual background for virtual meetings.
Whiteboard feature
Tons of extra features in the premium edition.

4. Mattermost

Mattermost is another one of the best Microsoft Teams alternatives for Linux in 2023. One of the interesting features of Mattermost is that each user can establish a self-hostable online chat service. It is also compatible with multiple DevOps tools. It is also compatible with Slack which allows users to import, export, and customize depending on their preferences. It also has prebuilt plugins from Jenkins, Jira, and GitLab.

Microsoft Patch Tuesday, December 2022 Edition

Posted on 2022-12-14 by Kernel

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,
said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Email Security Bypasses Instagram Credential Phishing Attacks

Posted on 2022-11-21 by Kernel

It has been reported that a credential phishing attack targeted 22,000 students at national educational institutions through a campaign where hackers impersonated Instagram.

The advisory was highlighted by security experts at Armorblox in an advisory released on the 17th November 2022.

The advisory says: “The subject of this email encouraged victims to open the message… The goal of this subject was to induce a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm.”

Seemingly, the email appeared to come from Instagram support. The sender’s name appeared as Instagram and the email address matched the social media site’s real credentials.

“This targeted email attack was socially engineered, containing information specific to the recipient – like his or her Instagram user handle – in order to instill a level of trust that this email was a legitimate email communication from Instagram.”

Once users clicked on a link in the email, they were taken to a fake landing page. There was a ‘This Wasn’t Me’ option which, when clicked, directed users to a second faux landing page specifically designed to obtain user credentials, including sensitive information.

The Armorblox advisory added: “The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks,” Armorblox explained.

Sami Elhini, biometrics specialist at Cerberus Sentinel, explained: “In this case, an email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com. Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take.”

He also added that verifying the origin of an email is a good start, however further scrutiny is required concerning which domain the email originated from.

Erich Kron, security awareness advocate at KnowBe4, added that being comfortable with user interfaces and being able to navigate technologies does not mean individuals fully understand the risks.

“In our modern digital world, it is very important to stay educated on how to spot these sorts of social engineering attacks.”

This comes after warning of increased phishing attacks across the web.

The post Microsoft Email Security Bypasses Instagram Credential Phishing Attacks appeared first on IT Security Guru.

Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace

Posted on 2022-11-09 by Kernel

Salt Security, the API security company, has announced that it has achieved Microsoft Azure IP Co-sell Ready status, which means that the Salt Security API Protection Platform can be sold and marketed by Microsoft sellers globally. By earning this status, Salt said it can provide its customers with a more streamlined deployment and management process for taking advantage of the productive and trusted Azure cloud platform. In addition, the Salt Security API Protection Platform will gain greater visibility both within the Microsoft Azure Marketplace and among Microsoft sales teams and partners worldwide.

According to the Q3 2022 State of API Security Report, malicious API traffic grew 117% over the past year, now accounting for 2.1% of all API traffic. Customers tap the Salt platform to discover their APIs, protect them during runtime, and improve their API security posture. The Salt Security API Protection Platform correlates user behaviour over time to pinpoint and stop attackers, using its rich context about all API usage to identify the reconnaissance activities of bad actors. The platform consolidates all pertinent information into a single attacker timeline generating a single alert, which allows incident response teams to quickly take action.

“Salt empowers organisations to drive digital transformation and business innovation initiatives with the confidence that their critical data and services are protected with the industry-leading API security platform,” said Gilad Barzilay, head of business development at Salt Security. “Microsoft Azure IP Co-sell Ready status further validates our integration with the Azure cloud platform and strengthens our commitment to our joint customers.”

The Microsoft IP Co-Sell Program enables Microsoft and partners to provide comprehensive solutions in a collaborative selling model to drive joint sales, revenue, and mutual customer success.

“Through Microsoft Azure Marketplace, customers around the world can easily find, buy, and deploy partner solutions they can trust, all certified and optimised to run on Azure,” said Jake Zborowski, general manager, Microsoft Azure Platform at Microsoft Corp. “We’re happy to welcome Salt Security to the growing Azure Marketplace ecosystem.”

Salt Security applies cloud-scale big data, with the industry’s most time-tested AI and ML algorithms, to provide the insights needed for API security. Through its patented API Context Engine (ACE) architecture, the platform can identify the early indicators of an attack, stop attackers from advancing, and turn attackers into penetration testers, leading to valuable feedback for development teams to eliminate API vulnerabilities.

The post Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace appeared first on IT Security Guru.

Microsoft Latest Patch Fixes New Windows Zero-Day With No Patch for Exchange Server Bugs

Posted on 2022-10-12 by Kernel

Recent news reports show that Microsoft’s Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.

It appears that out of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server.

Notably, the patches come alongside updates to resolve 12 other flaws in the Chromium-based Edge browser that have been released since the beginning of the month.

Microsoft’s latest patch has topped the list of this month’s patches is CVE-2022-41033 (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.

Observations show the nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.

“This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit,” Kev Breen, director of cyber threat research at Immersive Labs, said.

In addition, three other elevation of privilege vulnerabilities of note relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968, CVSS score: 10.0).

Even with the “Exploitation Less Likely” tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an “unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.”

Patch update CVE-2022-41043 (CVSS score: 3.3) – an information disclosure vulnerability in Microsoft Office – is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.

Additionally fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38028, CVSS score: 7.8).

In conclusion, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Server Service Remote Protocol (CVE-2022-38045, CVSS score: 8.8).

Lastly, web security company Akamai, which discovered the two shortcomings, said they “take advantage of a design flaw that allows the bypass of [Microsoft Remote Procedure Call] security callbacks through caching.”

Software Patches from Other Vendors

As well as Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including —

Adobe
Android
Apache Projects
Apple
Cisco
Citrix
CODESYS
Dell
F5
Fortinet (including an actively exploited flaw)
GitLab
Google Chrome
IBM
Lenovo
Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
MediaTek
NVIDIA
Qualcomm
Samba
SAP
Schneider Electric
Siemens
Trend Micro, and
VMware

The post Microsoft Latest Patch Fixes New Windows Zero-Day With No Patch for Exchange Server Bugs appeared first on IT Security Guru.

Microsoft Patch Tuesday, October 2022 Edition

Posted on 2022-10-11 by Kernel

Microsoft today released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, noticeably absent from this month’s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in Microsoft Exchange Server.

The new zero-day flaw– CVE-2022-41033 — is an “elevation of privilege” bug in the Windows COM+ event service, which provides system notifications when users logon or logoff. Microsoft says the flaw is being actively exploited, and that it was reported by an anonymous individual.

“Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone’s list to quickly patch,” said Kevin Breen, director of cyber threat research at Immersive Labs. “This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.

Indeed, Satnam Narang, senior staff research engineer at Tenable, notes that almost half of the security flaws Microsoft patched this week are elevation of privilege bugs.

Some privilege escalation bugs can be particularly scary. One example is CVE-2022-37968, which affects organizations running Kubernetes clusters on Azure and earned a CVSS score of 10.0 — the most severe score possible.

Microsoft says that to exploit this vulnerability an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that a number of free and commercial DNS discovery services now make it easy to find this information on potential targets.

Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. Paired together, the two flaws are known as “ProxyNotShell” and they can be chained to allow remote code execution on Exchange Server systems.

Microsoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable certain settings to mitigate the threat from the attacks. However, those mitigation steps were soon shown to be ineffective, and Microsoft has been adjusting them on a daily basis nearly each since then.

The lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm Rapid7 said that as of early September 2022 the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.

“While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,” said Caitlin Condon, senior manager of vulnerability research at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft’s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.”

Adobe also released security updates to fix 29 vulnerabilities across a variety of products, including Acrobat and Reader, ColdFusion, Commerce and Magento. Adobe said it is not aware of active attacks against any of these flaws.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.