Security News > 2022 > October > It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
Let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August.
A month later, Zero Day Initiative purchased the bugs and disclosed them to Microsoft.
Details of an information disclosure bug in Microsoft Office, tracked as CVE-2022-41043, has been publicly disclosed, so patch that one next before Redmond has to list it as under active exploit.
While Microsoft says these are "Less likely to be exploited," and noted that for a successful exploit an attacker would need additional access, Immersive Labs' Director of Cyber Threat Research Kev Breen suggested patching these sooner than later.
Atlassian, Microsoft bugs on CISA's must-patch list after exploitation spree.
Despite Adobe's assurance that none of these bugs have been exploited in the wild, as ZDI noted: "Hard to imagine hard-coded credentials have existed in the product for so long without being discovered."
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/11/october_patch_tuesday/
Related news
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- Windows Patch Tuesday hits snag with Citrix software, workarounds published (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-11 | CVE-2022-41043 | Unspecified vulnerability in Microsoft Office and Office Long Term Servicing Channel Microsoft Office Information Disclosure Vulnerability | 3.3 |