Fix CVE-2022-41091 IIS Security Feature Bypass Vulnerability

What is IIS security feature bypass vulnerability?

Microsoft Internet Information Services (IIS) security feature does not properly handle wildcard allow and deny rules for domains in the “IP Address and Domain Restrictions” list, which makes it easier for remote attackers to gain access to restricted network resources via HTTP requests that bypass the predetermined set of rules, also known as the “IIS Security Feature Bypass Vulnerability”.

How could an attacker exploit the vulnerability?

First, let’s start by understanding how a remote attacker could implement IIS security feature bypass vulnerability exploit? The vulnerability may be remotely initiated and successful exploitation by an attacker requires victim interaction. The vulnerability requires a user with an affected version of Windows to access a malicious server. The attacker cannot force users to visit the malicious site, but will usually convince them to do so voluntarily via an enticement in an email or chat message.

Therefore, if you are using the affected version of Windows, then this security issue will push your computer into a dangerous situation. Fixing this vulnerability is an urgent matter.

Microsoft’s November Patch Tuesday Updates Fix 69 Windows Flaws

So what is the best IIS security feature bypass vulnerability fix? Luckily, On November 8, 2022, Microsoft has released the November 2022 Patch Tuesday for all supported versions of Windows 11 and Windows 10, including the newly released version of Windows 11 22H2. A total of 69 Windows vulnerabilities have been fixed this time, six of which have been exploited by remote attackers, including the IIS security feature bypass vulnerability.

CVE-2022-41091 (Windows Mark of the Web Security Feature Bypass Vulnerability)

There are two fix patches released this month for the IIS security feature bypass vulnerability. This update resolves a security bypass feature that exists in IIS. The fixes of the vulnerability specifically in how inbound requests are processed against a list of IPs and domains that are to be allowed or denied.

Always backup your PC for continuous data protection

The above is about the security bypass vulnerability and its resolution. Hope that the November patch released by Microsoft will completely help you fix the IIS security feature bypass vulnerability. but it is worth noting that there will be hackers who will continue to work on how to exploit the newly reported vulnerabilities in the future, so there will be other security vulnerabilities coming up one after another.

To avoid being affected by these vulnerabilities, a best practice is to regularly backup your computer system and important data. There’s one best free backup and restore software – AOMEI Backupper Standard can meet your diverse needs. It can be operated on all Windows systems: Windows 11, 10, 8, 7, Vista, and XP, and it has the following benefits:

👣 Provide 4 backup types: You can perform System Backup, File Backup, Disk Backup, Partition Backup. You can use the File Backup feature to backup files to Google Drive. 
👣 Different backup paths: You can create a backup to local disk, external devices (USB, HDD, SSD, etc.), cloud drives, NAS, etc.
👣 Schedule Backup: You can set your backup at a regular basis as Daily, Weekly, Monthly, so any changes will not be missing.
👣 3 backup methods: Full backup, incremental backup and differential backup are available. You are allowed to backup only modified files to saves much time and disk space using the latter two features.

Follow the simple steps below to create a full backup of your PC for further protection:

Step 1. Have this freeware downloaded and installed on your computer. Open it, click Backup then select System Backup from the right side menu.

Step 2. As this software will automatically select the source for you, you just need to click the second bar to select a destination path.

Step 3. Confirm the operation and click Start Backup.

🌟 Before you start the backup task, you can customize your backup settings:

♧ Options：You are allowed to add comments to the backup tasks and enable email notifications free. If you upgrade to the Pro version, you can also enable encrypted backups to improve the security, thus you will not worry about such vulnerability.
♧ Schedule Backup: You could automatically backup computer on a regular basis with provided 5 choices: Daily, Weekly, Monthly, USB plug in (paid), Event triggers (paid).
♧ Backup Scheme: It supports you to automatically delete old backups to free up disk space while keep the latest backup versions (paid).

🌟 How to recover Windows OS to a previous good state:

Once with a backup of your computer, you will be able to restore your PC to a good state when you encounter problems related to Windows updates that cause your system to fail to boot, improper application and hardware compatibility issues, or even data loss in severe cases. You can use the free restore feature to recover your OS to a previous state.

Just click Restore on the left menu and click Select Task or Select Image File to find the image created with AOMEI before.

In the end

That’s all for how to fix IIS security feature bypass vulnerability. Microsoft’s November Patch Tuesday Updates can fix 69 Windows flaws including CVE-2022-41091 to fix this vulnerability. Hope this update will solve your computer risk problems and eliminate your worries.

As soon as Microsoft releases vulnerabilities notice or updates, remote attackers can seize these vulnerabilities to attack your computer, which can cause irreparable data loss. Therefore, it is necessary to make regular backups of your computer system and data.

Fortunately, AOMEI Backupper is able to meet your needs and safeguard your data continuously. You can use it to backup Windows 11 to other location on a regular basis. In addition, it can create bootable USB drives for you in case your computer fails to boot properly. So try it as your data defender now!