Microsoft has released 71 new security patches addressing vulnerabilities as part of the March 2022 Patch Tuesday, including three zero day bugs and three critical-rated software flaws.
The patches fix issues in Windows, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge, Windows HTML Platforms, Office, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox.
According to Zero Day Initiative, the patches are in addition to 21 bugs patched by Microsoft Edge (Chromium-based) earlier this month, bringing the total of bugs patched this month to 92.
In a blog, the Trend Micro-owned bug disclosure initiative, said the volume is in line with previous March releases, although the number of Critical-rated bugs is low.
None of the vulnerabilities are listed as under active exploit, but three are publicly known. However, there are a few that IT admins should prioritize:
CVE-2022-23277 – Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft disclosed yet another Exchange Server RCE bug this Patch Tuesday, which allows an authenticated attacker to execute code with elevated privileges through a network call. This is definitely one to prioritize, as it is rated critical and is now difficult to exploit. In its blog, ZDI says this will likely be exploited in the wild soon.
CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
According to ZDI, this important-rated bug is listed as publicly known, so admins should treat it as a critical one. If attackers can lure an affected RDP client to connect to their RDP server, they can trigger code execution on the targeted client. While not as severe as some pervious RDP server bugs, admins should patch this immediately.
CVE-2022-24508 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
According to ZDI, this vulnerability is similar to CVE-2020-0796, dubbed SMBGhost, that could allow an attacker to execute code on Windows 10 version 2004 and later. Both list disabling SMBv3 compression as a workaround for SMB servers, but this doesn’t help clients, the blog notes. In 2020, Microsoft said SMBv3 compression was not yet used by Windows or Windows Server, so disabling would have no negative impact, but this new advisory doesn’t say the same, ZDI notes. While authentication is required, an attacker could use this for lateral movement within a network since it affects both clients and servers.
HEVC & VP9 Video Extensions Remote Code Execution Vulnerabilities
There are eight RCE bugs in HEVC and VP9 Video Extensions, including two rated critical (one for each extension type) that would lead to a crash if a user is tricked into downloading and opening a specially crafted file.
Two other Zero Days
The two other publicly known bugs include on in .NET and Visual Studio, a remote code execution flaw. However, Microsoft didn’t release any additional information about it. The other publicly known vulnerability is in Windows Fax and Scan Service, an elevation of privilege bug.
11 Azure Site Recovery CVEs
These vulnerabilities — all of which are rated as important — are elevation of privilege or remote code execution bugs in Azure’s native disaster recovery as a service tool. If this platform is used in your environment, install these patches immediately.
For more information on Microsoft’s March 2022 Patch Tuesday, read ZDI’s blog.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply