Security News > 2022 > October > It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
Let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August.
A month later, Zero Day Initiative purchased the bugs and disclosed them to Microsoft.
Details of an information disclosure bug in Microsoft Office, tracked as CVE-2022-41043, has been publicly disclosed, so patch that one next before Redmond has to list it as under active exploit.
While Microsoft says these are "Less likely to be exploited," and noted that for a successful exploit an attacker would need additional access, Immersive Labs' Director of Cyber Threat Research Kev Breen suggested patching these sooner than later.
Atlassian, Microsoft bugs on CISA's must-patch list after exploitation spree.
Despite Adobe's assurance that none of these bugs have been exploited in the wild, as ZDI noted: "Hard to imagine hard-coded credentials have existed in the product for so long without being discovered."
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/11/october_patch_tuesday/
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- February 2025 Patch Tuesday forecast: New directions for AI development (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- March 2025 Patch Tuesday forecast: A return to normalcy (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-11 | CVE-2022-41043 | Unspecified vulnerability in Microsoft Office and Office Long Term Servicing Channel Microsoft Office Information Disclosure Vulnerability | 3.3 |