We soon close out the security year of 2022. Only time will tell what 2023 will bring, but for IT and security admins of Microsoft networks, 2022 has been the year of blended attacks, on-premises Exchange Server flaws, and vulnerabilities needing more than patching to mitigate.
Here’s a month-by-month look at the past year.
January: A bad start for on-premises Microsoft Exchange Server vulnerabilities
It seems fitting that 2022 began with the release of the Microsoft Exchange Server remote code execution vulnerability (CVE-2022-21846). It raises the question for anyone still with an on-premises Exchange Server: Do you have the expertise to keep it safe especially if you are targeted?
Exchange 2019 is the only version under mainstream support at this time. If you are still running Exchange Server 2013, it reaches end of support on April 11, 2023. Your window of opportunity to make an easy transition is closing. Migrate to Exchange online or on-premises Exchange 2019 or consider a different email platform completely.
February: SharePoint vulnerabilities make it a target
February’s Microsoft security updates included CVE-2022-22005, which fixed an issue in SharePoint Server. Throughout the year SharePoint servers have received security updates.
Anyone in charge of patching and maintaining SharePoint should know that it, too, is in the crosshairs of targeted attacks. Shodan search tools can be used to easily find vulnerable implementations on the web, so be sure that they are patched and maintained.
March: You can’t always depend on Windows Update for patching
March’s security issues reminded us that not all code is serviced through Windows Update. HEVC Video Extensions Remote Code Execution Vulnerability (CVE-2022-22006) showcased that you also needed to pay attention to how you service apps on your Windows fleets. If you had disabled the Microsoft Store, you may need to take action to patch this vulnerability as well as other similar pieces of code.
April: Print spooler vulnerabilities again rear their ugly heads
April showcased that we were not done with print spooler bugs. PrintNightmare (CVE-2022-26796) was one of many print spooler vulnerabilities discovered in 2022. Microsoft and others released patches quickly, but they addressed only remote code execution exploits. Local privilege escalation exploits require a manual workaround, which Microsoft provided.
May: Windows NFS vulnerable to remote code execution exploit
Windows Network File System Remote Code Execution Vulnerability (CVE-2022-24491/24497) has been used in recent months by malware called Cuba Ransomware. The vulnerability is exploitable only in Windows Server implementations with NFS enabled. Review your network for assets that have been missed in patching that might expose your network to more risk.
June: LSA spoofing vulnerability highlights need to move from NTLM
The Windows LSA Spoofing Vulnerability (CVE-2022-26925) enabled NT LAN Manager (NTLM) relay attacks and required that you take additional action on your certificates. If you have not enabled Extended Protection for Authentication (EPA) and disabled HTTP on Active Directory Certificate Services (AD CS) servers, review the guidance in the Microsoft security advisory that was released at the time.
Evaluate your ability to move away from NTLM. Depending on your organisation, you may find that you can easily cut the cord now. Unfortunately, you might be unable to make the transition until changes are made in your network. If you are unsure of the impact, take the time in 2023 to investigate your options.
June: Dangers lurk from Internet Explorer remnants
June brought the official end of support for Internet Explorer, that less-than-esteemed browser known for vulnerabilities and weaknesses. Don’t be lulled into thinking the components of Internet Explorer are not lurking on your system and may need future updates. The Trident browser engine code is still used by SharePoint, for example, and you will still see MSHTML code being patched in the future.
July: Zero-day vulnerabilities in Windows CSRSS exploited
Microsoft blogged about the active use of multiple zero days along with the July release of Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability (CVE-2022-22047), which the Knotweed organisation then used at the end of July to gain system privileges and launch attacks. Knotweed is private-sector offensive actor (PSOA) using multiple Windows and Adobe zero-day exploits in targeted attacks.
August: Three new Microsoft Exchange Server vulnerabilities
August once again brought Exchange bugs to the table and three vulnerabilities were patched (CVE-2022-21980/24516/24477). The fix for this series of bugs also included the need to enable Extended Protection, a new technology that ensures that man in the middle (MitM) attacks are deflected.
Microsoft has included additional protections over the months in the Extended Protection Scripts. Once again merely installing the updates isn’t enough to protect you. You need to enable Extended Protection manually to mitigate the August vulnerabilities. Tun the Exchange Health Checker script to ensure that you’ve followed all the steps.
September: Apple flaws and a Windows remote code execution vulnerability
September patching also brought Apple flaws to the table. Security issues with iOS, iPadOS, macOS, and Safari were addressed with updates. If you have deployed Apple devices in your network, review and monitor for vulnerabilities.
September also brought the Windows TCP/IP Remote Code Execution Vulnerability (CVE-2022-34718), which didn’t turn out to be the Windows wormable bug it was originally thought to be. Only systems with IPv6 enabled and IPSec configured were vulnerable, thus limiting the risk.
October: No Exchange Server patches despite actively exploited vulnerabilities
October brought an interesting lack of patches for Exchange Server given that two Exchange bugs were actively exploited at the time. Microsoft provided workaround guidance for administrators to protect their systems. CVE-2022-41033 patched a Windows COM+ Event system service vulnerability that, like many others, is a privilege escalation bug. Attackers are bundling these vulnerabilities with social engineering enticements to gain access to systems.
November: Exchange Server, print spooler, and Kerberos patches and fixes
November brought the release of Exchange Server patches to fix exploited vulnerabilities. It also brought yet another print spooler update in the form of CVE-2022-41073. November also brought an out of band fix for Kerberos authentication issues introduced by the November updates.
Kerberos is a technology that you will want to take extra time to review the consequences in your network. Over the next year, updates will be released to further harden and protect your network from your attacks.