Image: Getty
Microsoft has released 64 patches addressing security vulnerabilities across its products including 11 flaws that are classed as critical – and six vulnerabilities that are actively being exploited by cyber attackers.
The security flaws impact Microsoft products including Windows, Microsoft Azure, Microsoft Exchange Server, Microsoft Office and more, some of which have been targeted by malicious hackers for months.
Two of the critical updates address security vulnerabilities in Microsoft Exchange Server, which have actively been under attack since September – CVE-2022-41028 and CVE-2022-41040.
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, an exploit that allows attackers to make server-side application requests from an unintended location – for example, allowing them to access internal services without being within the perimeter of the network.
CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker. Previously, Microsoft had only released mitigations for the vulnerabilities, but now patches are available, which if applied, can prevent attackers from exploiting them to access networks – and these should be applied as soon as possible.
Another vulnerability described as both critical and actively being exploited in the wild is CVE-2022-41128, a remote code execution vulnerability in Windows Scripting Languages. To exploit the vulnerability, attackers need to lure victims to specially crafted websites or servers – something that could be achieved with a phishing attack, which they can exploit to
Read more