Microsoft’s latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days.
Also separately addressed at the start of the month is an actively exploited flaw in Chromium-based browsers that was plugged by Google as part of an out-of-band update late last month.
The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows -.
CVE-2022-41091 is one of the two security bypass flaws in Windows Mark of the Web that came to light in recent months.
Four other Critical-rated vulnerabilities in the November patch worth pointing out are privilege elevation flaws in Windows Kerberos, Kerberos RC4-HMAC, and Microsoft Exchange Server, and a denial-of-service flaw affecting Windows Hyper-V. The list of fixes for Critical flaws is tailended by four remote code execution vulnerabilities in the Point-to-Point Tunneling Protocol, all carrying CVSS scores of 8.1, and another impacting Windows scripting languages JScript9 and Chakra.
In addition to these issues, the Patch Tuesday update also resolves a number of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as a number of privilege escalation bugs in Win32k, Overlay Filter, and Group Policy.