It is November’s Patch Tuesday, so I’ll start with what I’m thankful for. I am thankful that Patch Tuesday provides easy content so I appear more productive than I am. That feels good to start with such positivity. And positivity is working out for us — this month feels light compared to most. That’s why Contentmaster Brock wanted to step in and ruin everyone's good time by talking about the vulnerability found in OpenSSL 3.0. Overall, this month we are patching 66 exploits, with 10 rated as critical. One of these exploits is already publicly known. The true terror is that four are already being actively exploited.
Some highlights (or lowlights)
CVE-2022-41047: This is the highest rated critical exploit. At 8.8, it’s a Remote Code Execution vulnerability impacting the ODBC driver. It has a network attack vector and does not require any privileges. It’s only at an 8.8 because it requires a user to click on a malicious link, which would allow the attacker to execute code remotely on the system.
CVE-2022-41128: This is another 8.8 that has a lot of similar metrics as #1, only it uses Windows Scripting Language and requires the user to connect to a corrupted server instead of clicking on a corrupted link. This one has the added benefit of being one of the exploits that is publicly known already.
CVE-2022-41091: This exploit is only rated as a 5.4 and impacts the Windows Mark of the Web Security feature. It requires the user to click on a malicious link to be effective, resulting in a limited loss of availability and integrity. Normally one rated this low would not earn any type of mention, but this one is both actively used in the wild and publicly known. It’s rare that a single exploit falls in both categories, so I figured I would toss in a mention.
November’s Patch Tuesday is a strange one, with a low number of exploits and a low number of those that are critical. Even the critical ones feel less critical to me, most requiring users to click where they should not. We all know that training users is 100% effective, so this month is nothing to worry about! But just in case you think one of your users may have missed a day of training, we should probably still patch. We are going to be doing that every month, so why not automate the process with PDQ Deploy and PDQ Inventory?
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.