back to article It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes

Microsoft fixed more than 80 security flaws in its products for October's Patch Tuesday. But let's start off with what Redmond didn't fix: two Exchange Server bugs dubbed ProxyNotShell that have been exploited by snoops as far back as August. CVE-2022-41040 is a server-side request forgery vulnerability while CVE-2022-41082 is …

  1. jake Silver badge

    ::shakes head::

    "None of these have been exploited in the wild. Yet."

    FTFY.

    One wonders why Corporate Lawyers even allow these things in the door ... Especially seeing as the EULA[0] clearly states that anything that goes wrong is NOT the fault of the provider, but rather it's YOUR fault for choosing to run the badly designed & implemented product.

    [0] Or whatever they choose to call it ... you know what I mean.

    1. Anonymous Coward
      Anonymous Coward

      Re: ::shakes head::

      The problem is that we allowed providers to get away with shoddy products without experiencing any kind of consequences, aided by the lock in strategies that all pursue. Now we no longer have a choice (which was, of course, the whole aim).

      Try telling management that avoiding Microsoft products would, at a conservative estimate, zap about 85% of all security exposure and see how long you continue to enjoy employment there. If you don't get into trouble for speaking truth to power you'd be worked out of the door by their Microsoft golfing buddies who really don't appreciate you giving theeir victims guys at the top actual real world facts. And that's just Microsoft.

      1. jake Silver badge

        Re: ::shakes head::

        I make a living doing just that. I'm a consultant.

        1. Anonymous Coward
          Anonymous Coward

          Re: ::shakes head::

          I'm setting up a new services group doing just that.

          Interestingly, the first attempt at lobbying to get us to use expensive products wasn't done by Microsoft.

          It was Oracle..

  2. ThatOne Silver badge
    Devil

    Patch Doomsday

    The article forgot to mention what those patches will break this time...

    1. Anonymous Coward
      Anonymous Coward

      Re: Patch Doomsday

      I was trying to remember in which movie some villain screams "EEEVERYTHING!!!" but I can't find the clip, sorry.

      But that's what you should plan for - at least it will feel positive if less breaks :)

      1. stiine Silver badge

        Re: Patch Doomsday

        It was EVERYONEEEEE!!!! and it was Gary Oldman's character in Léon: The Professional.

        https://www.youtube.com/watch?v=74BzSTQCl_c

        1. Anonymous Coward
          Anonymous Coward

          Re: Patch Doomsday

          Ah yes, thanks :).

          That's the stuff I hate most about getting older. Plenty of data in memory, but the hyperlinks occasionally fray :).

    2. Strahd Ivarius Silver badge
      Facepalm

      Re: Patch Doomsday

      On Win11, some VPN clients based on today's experience at work...

  3. Anonymous Coward
    Anonymous Coward

    click everything

    "Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything"

    Anti-phishing training is severely lacking in the public and also in companies.

    It's 2022 and there are still people who think one detects a malware by the terrible spelling of the email, even in english.

    Cyber-crims have long learnt how to have a very literate writing, now ...

    1. Anonymous Coward
      Anonymous Coward

      Re: click everything

      "...one detects a malware by the terrible spelling of the email, even in english..."

      At our place that usually means the email has come from one of the Directors.

    2. James O'Shea Silver badge

      Re: click everything

      Here is a recent attempt to get me to do a little happy clicking.

      phish starts:

      _________

      Regards

      I am Mr Aleksandr Bodashk the Chief Executive Officer & Co-Founder of The Golden Gate Realtor a Real Estate company in Ukraine,

      Due to the crises here in Ukraine, I find it necessary to seek for a commercial venture in your country with the expectation of achieving a profit.

      For further information please contact : aleksdrbodashk@gmail.com

      I'm eager to receive your feedback..

      Thank you

      Aleksandr Bodashk

      the Chief Executive Officer & Co-Founder

      The Golden Gate Realtor Ukraine

      Khreshchatyk Plaza Khreshchatyk, 19A, Kyiv, Ukraine, 01001

      ______

      phish ends

      In the original, there were several hotlinks, including dear old Aleks' email address. No, I didn't click on any. Phishing: it's not just Nigerian Princes anymore, though the tactics are identical.

      1. Al fazed
        Facepalm

        Re: click everything

        I recently completed an on-line survey being undertaken for one of my supermarket providers, with the prize being £250 of the company's vouchers.

        Oh, the survey was genuine, but I now receive hundreds of "YOU HAVE WON" - "NOTIFICATIONS" all bearing said supermarkets brandings...............

        So we see how even a savvey IT user could be easily compromised............. the temptation to see if one of these is a genuine response is huge, but I haven't done it.

        I notified the supermarkets IT department about the Phishing attempts.

        Now the Phishing has become a deluge which even the SPAM FILTERS seem to be powerless to prevent them from landing in my INBOX.......

        ALF

  4. Terry 6 Silver badge

    The why issue

    People do still click on links.

    One reason may well be that the large companies still send out emails with clickable marketing links. Some of which go to an account log-in. VM send out monthly "See how much good stuff we've supplied to you" email that directly links to their users accounts. Which I'm sure the users will click on- I do myself. But one day it'll be a poisoned link or just a straight fake. In the meantime we get trained to trust links. I think teh banks have got the message, I don't see that any more (go on tell me I'm wrong and that they still do it, I won't be surprised).

    But it can't just be that. Has any psychological research been done to see why people will click on links- or how companies can deter risky behaviour?

    1. Anonymous Coward
      Anonymous Coward

      Re: The why issue

      And we can't shoot them, even though we should.

    2. Charlie Clark Silver badge

      Re: The why issue

      Yes, lots of research has been done and, like someone asking for the time, a cigarette, etc, and there is not a lot that can be done about it. But this has been compounded by the widespread adoption of HTML mail which makes it much easier to exploit human nature. Plaintext e-mails may not be pretty but because of this, it's easier to focus on the content.

  5. AnotherName
    Facepalm

    A job for Clippy?

    I see you have just clicked on a link in an email - do you want me to write your resignation letter?

    1. stiine Silver badge
      Pint

      Re: A job for Clippy?

      Have a beer, I could only upvote this post once.

    2. Anonymous Coward
      Anonymous Coward

      Re: A job for Clippy?

      In fact, for one of our phishing awareness campaign, the links sent the user to this kind of page, once they entered their credentials...

      Some execs didn't find it funny...

  6. Al fazed
    WTF?

    Difficult all around

    There are still people who are sending genuine marketing messages only to subscribed customers AND they are unknowingly contributing to this confusing situation.

    I'm talking about the message composer who makes the content of the SUBJECT line read like a phishing attempt !!!!

    They do not even have their company name in the email address !!!!

    IT Amatures ? YES ! BUT ! They are being paid to do the vital comms and they haven't got one ouonce of common sense.

    If I wasn't such a nerd, their messages would go straight into the BIN.

    However, strongly suspecting some low paid do gooder minion is slaving away for this third sector/charitable organisation, I read the important communication in SOURCE CODE if I really want to keep abreast of developments in this particular industry.

    SHEESH........Talk about shooting yourself in the foot over and over again...............from the bottom to the top, it's the "State of IT" rot, It's shit but, It is all that we have got.

    Unless we just switch off the PC.

    ALF

  7. PRR Silver badge
    Facepalm

    bug buying?

    > Zero Day Initiative (ZDI) purchased the bugs

    Is this normal? Buying bugs and admitting it?

    Did ZDI have to out-bid both the KGB and that wealthy teenage cracker in Lithuania?

    How can you know you have truly "bought the bug"? Can't it be copied and sold to more folks?

    What's the going rate?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like