Security News > 2022 > December > Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698)

It's December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw exploited by attackers to deliver a variety of malware.

"A threat actor can craft a malicious file that would evade Mark of the Web defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging - for example, 'Protected View' in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality."

In late October, Microsoft has been alerted to the fact that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity related to ransomware attacks.

"In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," Microsoft noted.

Microsoft's investigation into the matter has revealed that several developer accounts for the Microsoft Partner Center were submitting malicious drivers in an attempt to get them signed by Microsoft, so they could terminate EDR agents on targeted endpoints.

"Microsoft has released Windows Security Updates revoking the certificate for impacted files and suspended the partners' seller accounts. Additionally, Microsoft has implemented blocking detections to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity."

News URL

https://www.helpnetsecurity.com/2022/12/13/cve-2022-44698/