Gorodenkoff – stock.adobe.com
Nine newly disclosed vulnerabilities with high-risk scores in products from some of the most widely used suppliers made November a busy month for security teams, with comparatively high numbers of disclosed bugs affecting Microsoft, a zero-day in Google Chromium proving a somewhat serious matter, and the resurfacing of a known Oracle vulnerability demonstrated that novelty is not necessarily a bonus for threat actors, according to the latest monthly analysis researchers at Recorded Future.
Recorded Future, which has been running its own vulnerability round-up through its in-house Insikt Group research op for several months now, said November had been a bumper month, particularly for Microsoft, which released fixes for a total of six zero-days on 9 November.
Out of these, it said, the most impactful were two vulnerabilities in the Mark of the Web (MotW) security feature, which is supposed to be a safeguard to show that files downloaded from the internet are safe, but if bypassed can easily lead to malicious code being triggered.
Its researchers also flagged a remote code execution (RCE) and elevation of privilege (EoP) vulnerability in Microsoft Exchange Server that when chained, form the previously disclosed exploit known as ProxyNotShell.
“Given its dominance as an operating system for both individual users and corporate environments, Microsoft Windows is consistently a target for vulnerability exploitation,” said the Insikt Group researchers, “but the bumper crop of zero-day vulnerabilities associated with Microsoft Windows in November 2022 was surprising even in the midst of a year of high-profile and often high numbers of zero-days.”
Meanwhile, Google’s team patched CVE-2022-4135, an RCE zero-day in the Google Chrome web browser, after finding threat actors exploiting it in the wild. This is the eighth Chrome zero-day to have been found in 2022, and successfully exploited causes a heap buffer overflow in three versions of Chrome.
The Insikt Group said that given the widespread use of Chrome and Chrome-based browsers, this issue bears close attention.
“Web browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also vulnerable to exploits of this flaw because they are Chromium-based, which means that, ironically, Google’s disclosure added at least one more zero-day vulnerability to the list of those that Microsoft defenders need to worry about,” they said.
Further to this, another vulnerability in Google Chrome, tracked as CVE-2022-4262, was disclosed and added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue on 2 December.
CVE-2022-4262 is a V8 type confusion vulnerability in the Chromium V8 engine, and Google said it was aware of an exploit in the wild. It has been fixed in an update rolled out last week, but its inclusion in the KEV catalogue – a list of important bugs that US government organisations are obliged to fix on a rolling monthly schedule – means it warrants immediate attention from corporate security teams.
Also appearing on Recorded Future’s list, and added to the KEV catalogue within the past fortnight, is CVE-2022-35587, an RCE vulnerability in Oracle Fusion Middleware Access Manager which successfully exploited, allows an unauthenticated actor with network access over HTTP to take over Access Manager. This carries a CVSS base score of 9.8 and is not hard to exploit – and worse, it was initially disclosed in January 2022, but has since popped back up again.
“The active exploitation of the vulnerability follows the disclosure of proof-of-concept (POC) exploits for the vulnerability, which have been available for ‘several months’, according to SecurityWeek,” said the Insikt team.
Besides the six Microsoft zero-days, and the others described above, the Insikt team also listed three other noteworthy vulnerabilities from November that may not be as widespread, but will prove particularly impactful for those they affect.
These are CVE-2022-38374 in Fortinet’s FortiADC web application authentication/authorisation service, CVE-2022-39307 in Grafana’s data visualisation platform, and CVE-2022-43781 in Atlassian’s BitBucket Git-based source code repository.
The team observed that both Atlassian and Fortinet have already seen critical vulnerability exploitation in 2022, and pointed out that the Fortinet vulnerability in particular “is the type of vulnerability that is attractive to criminals or nation-state groups looking to compromise a key piece of network infrastructure”.
While organizations like The Brookings Institution applaud the White House’s Blueprint for an AI Bill of Rights, they also want …
Earth observation is a primary driver of the global space economy and something federal agencies are partnering with commercial …
Get the lowdown on the major features, differentiators, strengths and weaknesses of the blockchain platforms getting the most …
MegaRAC BMC software from American Megatrends, Inc. have a trio of serious security vulnerabilities that were discovered …
The cloud service provider said that because the investigation of the ransomware attack is in the early stages, it is unknown …
Need help brute-forcing passwords? Get started by learning how to use the open source Hydra tool with these step-by-step …
Cisco SD-WAN 17.10 enhancements give enterprises the option of using security service edge providers Cloudflare and Netskope in …
As wireless networks have evolved, so have the protocols for securing them. Get an overview of WLAN security standards, and learn…
Wireless networking skills are in high demand. Having a top-notch wireless network certification can help networking newbies and …
A fire in a data center can damage equipment, cause data loss and put personnel in harm’s way. Look to NFPA fire protection …
In a Linux system, IP addresses correspond with a public or private network. This tutorial outlines how to find public and …
In a software-defined network, SDN data center controllers are a crucial component. Consider factors such as performance and …
Data warehouse analysts help organizations manage the repositories of analytics data and use them effectively. Here’s a look at …
There’s still a place for data warehouses in data architectures. But first, ask whether your organization needs one and what type…
The database vendor released new extensions designed to help PostgreSQL users with best practices for storage, user access and …
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
source
—
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…