Two weeks ago we reported on two zero-days in Microsoft Exchange that had been reported to Microsoft three weeks before that by a Vietnamese company that claimed to have stumbled across the bugs on an incident response engagement on a customer’s network. (You may need to read that twice.)
As you probably recall, the bugs are reminiscent of last year’s ProxyLogin/ProxyShell security problems in Windows, although this time an authenticated connection is required, meaning that an attacker needs at least one user’s email password in advance.
This led to the amusing-but-needlessly-confusing name ProxyNotShell, though we refer to it in our own notes as E00F, short for Exchange double zero-day flaw, because that’s harder to misread.
You’ll probably also remember the important detail that the first vulnerability in the E00F attack chain can be exploited after you’ve done the password part of logging on, but before you’ve done any 2FA authentication that’s needed to complete the logon process.
That makes it into what Sophos expert Chester Wisniewski dubbed a “mid-auth” hole, rather than a true post-authentication bug:
One week ago, when we did a quick recap of Microsoft’s response to E00F, which has seen the company’s official mitigation advice being modified several times, we speculated in the Naked Security podcast as follows:
I did take a look at Microsoft’s Guideline document this very morning [2022-10-05], but I did not see any information about a patch or when one will be available.
Next Tuesday [2022-10-11] is Patch Tuesday, so maybe we’re going to be made to wait until then?
One day ago [2022-10-11] was the latest Patch Tuesday…
…and the biggest news is almost certainly that we were wrong: we’re going to have to wait yet longer.
Everything except Exchange
This month’s Microsoft patches (variously reported as numbering 83 or 84, depending on how you count and who’s counting) cover 52 different parts of the Microsoft ecosystem (what the company descibes as “products, features and roles”), including several we’d never even heard of before.
It’s a dizzying list, which we’ve repeated here in full:
Active Directory Domain Services Azure Azure Arc Client Server Run-time Subsystem (CSRSS) Microsoft Edge (Chromium-based) Microsoft Graphics Component Microsoft Office Microsoft Office SharePoint Microsoft Office Word Microsoft WDAC OLE DB provider for SQL NuGet Client Remote Access Service Point-to-Point Tunneling Protocol Role: Windows Hyper-V Service Fabric Visual Studio Code Windows Active Directory Certificate Services Windows ALPC Windows CD-ROM Driver Windows COM+ Event System Service Windows Connected User Experiences and Telemetry Windows CryptoAPI Windows Defender Windows DHCP Client Windows Distributed File System (DFS) Windows DWM Core Library Windows Event Logging Service Windows Group Policy Windows Group Policy Preference Client Windows Internet Key Exchange (IKE) Protocol Windows Kernel Windows Local Security Authority (LSA) Windows Local Security Authority Subsystem Service (LSASS) Windows Local Session Manager (LSM) Windows NTFS Windows NTLM Windows ODBC Driver Windows Perception Simulation Service Windows Point-to-Point Tunneling Protocol Windows Portable Device Enumerator Service Windows Print Spooler Components Windows Resilient File System (ReFS) Windows Secure Channel Windows Security Support Provider Interface Windows Server Remotely Accessible Registry Keys Windows Server Service Windows Storage Windows TCP/IP Windows USB Serial Driver Windows Web Account Manager Windows Win32K Windows WLAN Service Windows Workstation Service
As you can see, the word “Exchange” appears just once, in the context of IKE, the internet key exchange protocol.
So, there’s still no fix for the E00F bugs, a week after we followed up on our article from a week before that about an initial report three weeks before that.
In other words, if you still have your own on-premises Exchange server, even if you’re only running it as part of an active migration to Exchange Online, this month’s Patch Tuesday hasn’t brought you any Exchange relief, so make sure you are up-to-date with Microsoft’s latest product mitigations, and that you know what detection and threat classification strings your cybersecurity vendor is using to warn you of potential ProxyNotShell/E00F attackers probing your network.
What did get fixed?
For a detailed review of what got fixed this month, head over to our sister site, Sophos News, for an “insider” vulns-and-exploits report from SophosLabs:
The highlights (or lowlights, depending on your viewpoint) include:
- A publicly disclosed flaw in Office that could lead to data leakage. We’re not aware of actual attacks using this bug, but information about how to abuse it was apparently known to potential attackers before the patch appeared. (CVE-2022-41043)
- A publicly exploited elevation-of-privilege flaw in the COM+ Event System Service. A security hole that is publicly known and that has already been exploited in real-life attacks is a zero-day, because there were zero days that you could have applied the patch before the cyberunderworld knew how to abuse it. (CVE-2022-41033)
- A security flaw in how TLS security certificates get processed. This bug was apparently reported by the government cybersecurity services of the UK and the US (GCHQ and NSA respectively), and could allow attackers to misrepresent themselves as the owner of someone else’s code-signing or website certificate. (CVE-2022-34689)
This month’s updates apply to pretty much every version of Windows out there, from Windows 7 32-bit all the way to Server 2022; the updates cover Intel and ARM flavours of Windows; and they include at least some fixes for what are known as Server Core installs.
(Server Core is a stripped-down Windows system that leaves you with a very basic, command-line-only server with a greatly reduced attack surface, leaving out the sort of components you simply don’t need if all you want is, for example, a DNS and DHCP server.)
What to do?
As we explain in our detailed analysis on Sophos News, you can either head into Settings > Windows Update and find out what’s waiting for you, or you can visit Microsoft’s online Update Guide and fetch individual update packages from the Update Catalog.
You know what we’ll say/
‘Cause it’s always our way.
That is, “Do not delay/
Simply do it today.”