Security News

November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities. "In all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment," Microsoft says, but as security researcher Kevin Beaumont recently noted, it has been successfully exploited by different attackers in the wild for months.

Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. Microsoft confirmed they were actively abused in attacks on September 30, saying it was "Aware of limited targeted attacks using the two vulnerabilities to get into users' systems."

Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. This month's Patch Tuesday fixes six actively exploited zero-day vulnerabilities, with one being publicly disclosed.

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings in Windows 10 and Windows 11. What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched.

Incoming OpenSSL critical fix: Organizations, users, get ready!The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library. Apple fixes exploited iOS, iPadOS zero-dayFor the ninth time this year, Apple has released fixes for a zero-day vulnerability exploited by attackers to compromise iPhones.

Google pushed out a bunch of security fixes for the Chrome and Chromium browser code earlier this week. In short, what we mean is that when Google says "It is aware of reports" of an attack launched by exploiting Chrome in real life, we're ready to assume that you can translate this into "The bug is real, and it really can be exploited, but because we didn't actually investigate the hacked system in real life ourselves, we're still on safe ground if we don't come straight out and say, 'Hey, everyone, it's an 0-day'."

Why did a single security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know that iPadOS 16 was delayed, so did this recent update mean that iPadOS was now getting patched only to the same security level as iOS 16, which came out more than a month ago, while iOS advanced to 16.1, thus leaving iPadOS more than five weeks adrift in cybersecurity terms? Why did iPadOS 16 ultimately report itself as version 16.1? After updating, the About screen apparently says iPadOS 16, like the security bulletin did, while the iPadOS Version screen explicitly says 16.1. It sounds as though iPhones and iPads now not only both support "The version family known as 16", but also both have the very latest security fixes, so why not simply call both of them version 16.1 everywhere for clarity, including in the security bulletin and on the About screen? Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS version X-3 when version X comes out, but is that the actual explanation of why macOS 11 Big Sur and macOS 12 Monterey got updates while Catalina didn't? What happened to iOS/iPadOS 15.7.1? When iOS 16 came out in September 2022, the previous version family received critical updates as well, taking it to version 15.7.

Google has released an emergency security update for the Chrome desktop web browser to address a single vulnerability known to be exploited in attacks. The high-severity flaw is a type confusion bug in the Chrome V8 Javascript engine discovered and reported to Google by analysts at Avast.

Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability, tracked as CVE-2022-3723, has been described as a type confusion flaw in the V8 JavaScript engine.

Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug. Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today with improved bounds checking.