Security News > 2022 > October > It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes

It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
2022-10-11 22:35

Let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August.

A month later, Zero Day Initiative purchased the bugs and disclosed them to Microsoft.

Details of an information disclosure bug in Microsoft Office, tracked as CVE-2022-41043, has been publicly disclosed, so patch that one next before Redmond has to list it as under active exploit.

While Microsoft says these are "Less likely to be exploited," and noted that for a successful exploit an attacker would need additional access, Immersive Labs' Director of Cyber Threat Research Kev Breen suggested patching these sooner than later.

Atlassian, Microsoft bugs on CISA's must-patch list after exploitation spree.

Despite Adobe's assurance that none of these bugs have been exploited in the wild, as ZDI noted: "Hard to imagine hard-coded credentials have existed in the product for so long without being discovered."


News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/11/october_patch_tuesday/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-10-11 CVE-2022-41043 Unspecified vulnerability in Microsoft Office and Office Long Term Servicing Channel
Microsoft Office Information Disclosure Vulnerability
local
low complexity
microsoft
3.3
3.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399