Google, MS, Oracle vulnerabilities make November ’22 a big month for patching

Nine newly disclosed vulnerabilities with high-risk scores in products from some of the most widely used suppliers made November a busy month for security teams, with comparatively high numbers of disclosed bugs affecting Microsoft, a zero-day in Google Chromium proving a somewhat serious matter, and the resurfacing of a known Oracle vulnerability demonstrated that novelty is not necessarily a bonus for threat actors, according to the latest monthly analysis researchers at Recorded Future.

Recorded Future, which has been running its own vulnerability round-up through its in-house Insikt Group research op for several months now, said November had been a bumper month, particularly for Microsoft, which released fixes for a total of six zero-days on 9 November.

Out of these, it said, the most impactful were two vulnerabilities in the Mark of the Web (MotW) security feature, which is supposed to be a safeguard to show that files downloaded from the internet are safe, but if bypassed can easily lead to malicious code being triggered.

Its researchers also flagged a remote code execution (RCE) and elevation of privilege (EoP) vulnerability in Microsoft Exchange Server that when chained, form the previously disclosed exploit known as ProxyNotShell.

“Given its dominance as an operating system for both individual users and corporate environments, Microsoft Windows is consistently a target for vulnerability exploitation,” said the Insikt Group researchers, “but the bumper crop of zero-day vulnerabilities associated with Microsoft Windows in November 2022 was surprising even in the midst of a year of high-profile and often high numbers of zero-days.”

Meanwhile, Google’s team patched CVE-2022-4135, an RCE zero-day in the Google Chrome web browser, after finding threat actors exploiting it in the wild. This is the eighth Chrome zero-day to have been found in 2022, and successfully exploited causes a heap buffer overflow in three versions of Chrome.

The Insikt Group said that given the widespread use of Chrome and Chrome-based browsers, this issue bears close attention.

“Web browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also vulnerable to exploits of this flaw because they are Chromium-based, which means that, ironically, Google’s disclosure added at least one more zero-day vulnerability to the list of those that Microsoft defenders need to worry about,” they said.

Further to this, another vulnerability in Google Chrome, tracked as CVE-2022-4262, was disclosed and added to the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue on 2 December.

CVE-2022-4262 is a V8 type confusion vulnerability in the Chromium V8 engine, and Google said it was aware of an exploit in the wild. It has been fixed in an update rolled out last week, but its inclusion in the KEV catalogue – a list of important bugs that US government organisations are obliged to fix on a rolling monthly schedule – means it warrants immediate attention from corporate security teams.

Also appearing on Recorded Future’s list, and added to the KEV catalogue within the past fortnight, is CVE-2022-35587, an RCE vulnerability in Oracle Fusion Middleware Access Manager which successfully exploited, allows an unauthenticated actor with network access over HTTP to take over Access Manager. This carries a CVSS base score of 9.8 and is not hard to exploit – and worse, it was initially disclosed in January 2022, but has since popped back up again.

“The active exploitation of the vulnerability follows the disclosure of proof-of-concept (POC) exploits for the vulnerability, which have been available for ‘several months’, according to SecurityWeek,” said the Insikt team.

Besides the six Microsoft zero-days, and the others described above, the Insikt team also listed three other noteworthy vulnerabilities from November that may not be as widespread, but will prove particularly impactful for those they affect.

These are CVE-2022-38374 in Fortinet’s FortiADC web application authentication/authorisation service, CVE-2022-39307 in Grafana’s data visualisation platform, and CVE-2022-43781 in Atlassian’s BitBucket Git-based source code repository.

The team observed that both Atlassian and Fortinet have already seen critical vulnerability exploitation in 2022, and pointed out that the Fortinet vulnerability in particular “is the type of vulnerability that is attractive to criminals or nation-state groups looking to compromise a key piece of network infrastructure”.