Microsoft squashed a total of 48 security bugs, including one zero-day vulnerability, with February’s Microsoft security updates Patch Tuesday. This figure does not include the 22 Microsoft Edge (chromium) fixes rolled out with today’s Patch release, 19 of which were actually fixed earlier this month. This brings the total number of patches released in February (so far) to 70.
The 48 new patches address vulnerabilities in Microsoft Windows and Windows components, Microsoft Dynamics, Microsoft Office, Windows Hyper-V Server, Visual Studio Code, SQL Server, Azure Data Explorer, and Teams. The vulnerabilities fixed today are distributed as follows:
- Microsoft Edge-Chromium (22)
- Elevation of Privilege (16)
- Remote Code Execution (16)
- Denial of Service (5)
- Information Disclosure (5)
- Security Feature Bypass (3)
- Spoofing (3)
Forty-eight is a relatively low number of vulnerabilities for a Microsoft Windows Patch Tuesday release. In comparison, Microsoft fixed a total of 96 CVEs in the last Patch Tuesday, exactly twice as many as today. But actually, this patch volume aligns with February releases from previous years (except 2020), which hovers around 50 vulnerabilities.
One Zero-Day Bug Fixed
A single zero-day vulnerability, CVE-2022-21989 – Windows Kernel Elevation of Privilege, was fixed in today’s update batch. Microsoft rated the CVE Important and assigned it a 7.8 CVSS. The zero-day bug was publicly disclosed but had no reports of exploits in the wild. If exploited, the flaw could be used to escalate an attacker’s privileges in a vulnerable system through the kernel. However, Microsoft says that such an exploit is unlikely because the attacker must prepare the target environment before a successful exploit of CVE-2022-21989.
CVE-2022-22005 – Microsoft SharePoint Server RCE Bug
This flaw could allow an authenticated user/attacker to run any arbitrary .NET code on the SharePoint server. Exploiting this flaw requires prior authentication, which is why Microsoft only rated it Important. But with an 8.8 severity score, it’s borderline Critical, and exploitation is more likely.
More Print Spooler CVEs
Four (CVE-2022-21997, CVE-2022-21999, CVE-2022-22717, CVE-2022-22718) of the 48 patches released this Tuesday address security issues in the Print Spooler, the Windows resource for handling printing tasks. In July 2021, Microsoft released an emergency fix for the infamous Print Spooler bug nicknamed “PrintNightmare.” Microsoft has since been rolling out monthly patches for this service. It seems that the nightmare persists even today, but it’s well under control for now.
CVE-2022-21984 – Windows DNS Server RCE Vulnerability
This CVE gets an 8.8 CVSS. An attacker could exploit this bug to take over a DNS server and run malicious code with elevated privileges. But this would only be possible if the server’s dynamic update setting was enabled. This setting is disabled on all DNS servers by default — probably why the flaw doesn’t have a Critical severity rating. But if your DNS server environment has dynamic updates turned on, you should treat this as a Critical update.
CVE-2022-21995 – Windows Hyper-V RCE Flaw
CVE-2022-21995 enables a VM (virtual machine) or guest escape, a situation where a guest virtual machine or user gains access to the hosting operating system or environment. Although the flaw has a 7.9 CVSS, Microsoft says the exploit complexity is high because the attacker first has to prepare the attack environment. It’s not very clear what this means exactly. So, better take this with a grain of salt if you rely on Hyper-V servers.
This concludes our brief review of February’s Microsoft Patch Tuesday. Go to this month’s Patch Tuesday release notes to get a complete Microsoft Patch Tuesday list and additional details on the same. More importantly, install all the necessary patches as soon as possible. And remember, Action1 patch management solution is here if you need help with Patch Tuesday issues, Windows updates, or patch deployment.
Stay tuned for more Microsoft Patch Tuesday news and updates. Until then, stay safe.