Patch Tuesday in brief – one 0-day fixed, but no patches for Exchange!

Two weeks ago we reported on two zero-days in Microsoft Exchange that had been reported to Microsoft three weeks before that by a Vietnamese company that claimed to have stumbled across the bugs on an incident response engagement on a customer’s network. (You may need to read that twice.)

As you probably recall, the bugs are reminiscent of last year’s ProxyLogin/ProxyShell security problems in Windows, although this time an authenticated connection is required, meaning that an attacker needs at least one user’s email password in advance.

This led to the amusing-but-needlessly-confusing name ProxyNotShell, though we refer to it in our own notes as E00F, short for Exchange double zero-day flaw, because that’s harder to misread.

You’ll probably also remember the important detail that the first vulnerability in the E00F attack chain can be exploited after you’ve done the password part of logging on, but before you’ve done any 2FA authentication that’s needed to complete the logon process.

That makes it into what Sophos expert Chester Wisniewski dubbed a “mid-auth” hole, rather than a true post-authentication bug:

One week ago, when we did a quick recap of Microsoft’s response to E00F, which has seen the company’s official mitigation advice being modified several times, we speculated in the Naked Security podcast as follows:

I did take a look at Microsoft’s Guideline document this very morning [2022-10-05], but I did not see any information about a patch or when one will be available.

Next Tuesday [2022-10-11] is Patch Tuesday, so maybe we’re going to be made to wait until then?

One day ago [2022-10-11] was the latest Patch Tuesday…

…and the biggest news is almost certainly that we were wrong: we’re going to have to wait yet longer.

Everything except Exchange

This month’s Microsoft patches (variously reported as numbering 83 or 84, depending on how you count and who’s counting) cover 52 different parts of the Microsoft ecosystem (what the company descibes as “products, features and roles”), including several we’d never even heard of before.

It’s a dizzying list, which we’ve repeated here in full:

  Active Directory Domain Services  Azure  Azure Arc  Client Server Run-time Subsystem (CSRSS)  Microsoft Edge (Chromium-based)  Microsoft Graphics Component  Microsoft Office  Microsoft Office SharePoint  Microsoft Office Word  Microsoft WDAC OLE DB provider for SQL  NuGet Client  Remote Access Service Point-to-Point Tunneling Protocol  Role: Windows Hyper-V  Service Fabric  Visual Studio Code  Windows Active Directory Certificate Services  Windows ALPC  Windows CD-ROM Driver  Windows COM+ Event System Service  Windows Connected User Experiences and Telemetry  Windows CryptoAPI  Windows Defender  Windows DHCP Client  Windows Distributed File System (DFS)  Windows DWM Core Library  Windows Event Logging Service  Windows Group Policy  Windows Group Policy Preference Client  Windows Internet Key Exchange (IKE) Protocol  Windows Kernel  Windows Local Security Authority (LSA)  Windows Local Security Authority Subsystem Service (LSASS)  Windows Local Session Manager (LSM)  Windows NTFS  Windows NTLM  Windows ODBC Driver  Windows Perception Simulation Service  Windows Point-to-Point Tunneling Protocol  Windows Portable Device Enumerator Service  Windows Print Spooler Components  Windows Resilient File System (ReFS)  Windows Secure Channel  Windows Security Support Provider Interface  Windows Server Remotely Accessible Registry Keys  Windows Server Service  Windows Storage  Windows TCP/IP  Windows USB Serial Driver  Windows Web Account Manager  Windows Win32K  Windows WLAN Service  Windows Workstation Service  

As you can see, the word “Exchange” appears just once, in the context of IKE, the internet key exchange protocol.

So, there’s still no fix for the E00F bugs, a week after we followed up on our article from a week before that about an initial report three weeks before that.

In other words, if you still have your own on-premises Exchange server, even if you’re only running it as part of an active migration to Exchange Online, this month’s Patch Tuesday hasn’t brought you any Exchange relief, so make sure you are up-to-date with Microsoft’s latest product mitigations, and that you know what detection and threat classification strings your cybersecurity vendor is using to warn you of potential ProxyNotShell/E00F attackers probing your network.

What did get fixed?

For a detailed review of what got fixed this month, head over to our sister site, Sophos News, for an “insider” vulns-and-exploits report from SophosLabs:

The highlights (or lowlights, depending on your viewpoint) include:

• A publicly disclosed flaw in Office that could lead to data leakage. We’re not aware of actual attacks using this bug, but information about how to abuse it was apparently known to potential attackers before the patch appeared. (CVE-2022-41043)
• A publicly exploited elevation-of-privilege flaw in the COM+ Event System Service. A security hole that is publicly known and that has already been exploited in real-life attacks is a zero-day, because there were zero days that you could have applied the patch before the cyberunderworld knew how to abuse it. (CVE-2022-41033)
• A security flaw in how TLS security certificates get processed. This bug was apparently reported by the government cybersecurity services of the UK and the US (GCHQ and NSA respectively), and could allow attackers to misrepresent themselves as the owner of someone else’s code-signing or website certificate. (CVE-2022-34689)

This month’s updates apply to pretty much every version of Windows out there, from Windows 7 32-bit all the way to Server 2022; the updates cover Intel and ARM flavours of Windows; and they include at least some fixes for what are known as Server Core installs.

(Server Core is a stripped-down Windows system that leaves you with a very basic, command-line-only server with a greatly reduced attack surface, leaving out the sort of components you simply don’t need if all you want is, for example, a DNS and DHCP server.)

What to do?

As we explain in our detailed analysis on Sophos News, you can either head into Settings > Windows Update and find out what’s waiting for you, or you can visit Microsoft’s online Update Guide and fetch individual update packages from the Update Catalog.

You know what we’ll say/
   ‘Cause it’s always our way.

That is, “Do not delay/
   Simply do it today.”