Microsoft has released just 51 new patches to address vulnerabilities this month, but February’s Patch Tuesday comes with an anomaly: there are no critical-rated patches.
The number of security patches is unusually low, as the company last month issued fixes for over 120 security bugs and patched 67 vulnerabilities in December.
However, the most unusual was the lack of a critical-rated vulnerability, writes Dustin Childs, head of communications for Trend Micro’s Zero Day Initiative.
“What’s curious about this release is the complete lack of Critical-rated patches,” Childs explains. “It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one critical-rated patch. It certainly hasn’t happened in recent memory.”
February’s Patch Tuesday is a welcome reprieve for IT administrators after a January release that saw Microsoft issue fixes for nine critical-rated bugs, including several remote code execution flaws.
Of the patches released, 50 are rated important and one is rated moderate in severity. Just one is publicly known, and none are listed as under active exploit at the time the patches were released.
Still, there were a couple vulnerabilities that IT admins should prioritize patching, including:
CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
According to Childs, this is a remote code execution bug in the Microsoft DNS server that is only impacted if dynamic updates are enabled; but that is a relatively common configuration. If that setup exists in an IT environment, an attacker could completely take over your DNS and execute code with elevated privileges.
This isn’t rated as critical because dynamic updates aren’t enabled by default, but Childs warns that it should be treated as critical if DNS dynamic updates are enabled.
CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
The patch fixes a guest-to-host escape it Hyper-V server. According to Microsoft, this exploit complexity is high since it requires an attacker to prepare the target environment to improve exploit reliability. The patch fixes a guest-to-host escape it Hyper-V server, and is again recommended to be treated as a critical update.
CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
According to Childs, this Outlook flaw could allow images to appear in the Preview Pane automatically, even if the option is disabled. On its own, exploiting this bug will only expose the target’s IP information, but a second bug affecting image rendering could be paired with it to allow remote code execution. Outlook for Mac users should check to make sure their version has been updated to an unaffected version.
CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This bug could allow an authenticated user to execute any arbitrary .NET code on the sever under the context and permissions of the service account of SharePoint Web Application, per Childs.
“An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions,” Childs writes.
CVE-2022-21989 – Windows Kernel Elevation of Privilege Vulnerability
This is the only publicly known vulnerability addressed in Microsoft’s February releases, but Microsoft lists the attack complexity as high.
Four Elevation of Privilege Vulnerabilities in Windows Print Spooler
If you recall PrintNightmare, then you know the print spooler has been an attractive target for attackers. The CVEs are CVE-2022-21997, CVE-2022-21999, CVE-2022-22717 and CVE-2022-22718.
Adobe patches
Adobe released fixes for 17 vulnerabilities, including 13 bugs in Illustrator, the most sever of which could allow arbitrary code execution through either a buffer overflow or an Out-Of-Bounds Write. There is also a critical-rated code execution bug in Creative Cloud Desktop and After Effects that need to be patched.
However, none of these Adobe flaws are listed as publicly known or under active attack.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply