Patch Tuesday December 2022

Patch Tuesday December 2022 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday
  • ^ Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698)
  • ^ PowerShell Remote Code Execution Vulnerability (CVE-2022-41076)
  • ^ Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2022-44693)
  • ^ ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)
  • ^ .NET Framework Remote Code Execution Vulnerability (CVE-2022-41089)
  • ^ Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-44678 and CVE-2022-44681)
• ^ Third-party application vulnerabilities:
  • ^ Internet Explorer
  • ^ Google Chrome
  • ^ Mozilla Firefox
  • ^ Avast
  • ^ Foxit Reader
  • ^ VLC Media Player
  • ^ Zoom

For even more information, please visit our Patch Tuesday page and join our Patch Tuesday webinar.

Microsoft Vulnerabilities

December Patch Tuesday brings us 52 fixes from Microsoft. There are seven critical updates, including one zero-day being actively exploited in the wild, and one more critical flaw that has a working proof-of-concept. All this shows Microsoft is working hard at the end of the year.

Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698)

Microsoft has resolved the new zero-day vulnerability impacting the Windows SmartScreen. Windows SmartScreen Security Feature Bypass Vulnerability affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. The vulnerability has low complexity. It uses the network vector, and requires no privilege escalation. However, it does need user interaction; attackers need to dupe a victim into visiting a malicious website through phishing emails or other forms of social engineering to exploit the security feature bypass. A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging – for example, ‘Protected View’ in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality.
Microsoft has confirmed that it is being actively exploited in the wild. However, the proof of concept has not yet been publicly disclosed.
The mitigation is installing the Microsoft update on all systems after testing it properly. Also, ensure your users are well-trained to identify and report phishing attacks.

PowerShell Remote Code Execution Vulnerability (CVE-2022-41076)

Microsoft has resolved CVE-2022-41076, the new critical vulnerability that impacts Microsoft PowerShell. It has high complexity, uses the network vector, requires low privilege, and does not need user interaction.
It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2, PowerShell 7.2 and 7.3. This critical vulnerability has a high CVSS risk score of 8.5, because any authenticated user can trigger the vulnerability and run unapproved PowerShell commands execution in the target system, even though the exploitation does require some preparation from the attacker. Microsoft hasn’t disclosed what these preparations involve specifically. However, Microsoft has confirmed that this vulnerability is not being exploited in the wild.

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2022-44693)

This patch fixes CVE-2022-44693, a critical vulnerability in Microsoft SharePoint, which can lead to remote code execution. This dangerous vulnerability affects all versions of SharePoint, starting from MS SharePoint Enterprise Server 2013 SP 1. Moreover, it has low complexity, uses the network vector, and requires no privilege escalation. To exploit it, attackers only need access to the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default. This vulnerability does not require user interaction; once attackers get the appropriate credentials, they can execute code remotely on a target SharePoint server. Since this critical vulnerability needs a user account with a low permission level, it has received a high CVSS risk score of 8.8.
Microsoft has stated that it is not exploited in the wild, and no proof of concept is publicly disclosed.
The mitigation measure is to install the cumulative update for Microsoft SharePoint on all SharePoint servers after testing it properly in the test environment.

.NET Framework Remote Code Execution Vulnerability (CVE-2022-41089)

CVE-2022-41089 is one more critical vulnerability fixed in this Patch Tuesday, which affects .NET Framework, versions 3.5 to 4.8. This vulnerability has low complexity. It uses the network vector and requires no privilege escalation.

This critical vulnerability has a high CVSS risk score of 8.8, because it has Remote Code Execution ability. The only reason why Microsoft has not assigned it a score of 10 is that it requires a user to interact with the attacker environment somehow – for example, by visiting a malicious site.

Microsoft has stated that vulnerability is not being exploited in the wild, and there is no proof of concept. Other details about the vulnerability haven’t been disclosed yet by Microsoft.

The mitigation is testing the Microsoft update properly and installing it on all systems with .Net Framework 3.5 and later

Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-44678 and CVE-2022-44681)

Almost every month, Microsoft releases patches to address vulnerabilities related to Print Spooler. Most of these bugs are rated “important” with CVSS score of 7.8. The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month. The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges, but only locally after successful exploitation.

Windows Print Manager has been the target for attackers since PrintNightmare was exposed more than a year ago. We have encountered vulnerabilities of this sort almost every month after that. Similarly, this flood of patches is likely to continue after CVE-2022-44678. IT teams should take the risk from vulnerabilities in Print Spooler very seriously because the Windows Print Manager apparently has many flaws. Therefore, if you do not use it, disable it, even if it has all the latest patches installed. Attackers will keep digging this “Rabbit Hole” on and on.

Internet Explorer

Google Threat Analysis Group (TAG) reported a zero-day vulnerability in Internet Explorer (IE) that was actively exploited in October 2022 by North Korean hackers known as APT37. The attack was carried out by introducing malware into documents referencing the recent tragedy in Itaewon during Seoul’s Halloween festivities. Although IE was officially shut down in June of this year and replaced by Microsoft Edge, MS Office still uses the IE engine to run JavaScript, which makes the attack possible on computers running Windows versions 7–11 and Windows Server 2008–2022 unless the November 2022 security update has been installed.

Another zero-day vulnerability, tracked as CVE-2022-41128 (CVSS score of 8.8), was found in the jscript9.dll of IE’s JavaScript engine. It could be used to deliver malware or execute arbitrary code when displaying an attacker-controlled website. The vulnerability was reported within hours of its discovery on Oct. 31, and a patched was released on Nov. 8.

Google Chrome

Google announced the release of Chrome 108 in the stable channel with patches for 28 vulnerabilities. Eight address high-severity issues and 14 fix medium-severity issues. Google makes no mention of any of these vulnerabilities being used in attacks.

The most serious is CVE-2022-4174, a type confusion problem in the web browser’s JavaScript V8 engine. All of the other high-severity vulnerabilities are memory security bugs, including one off-memory write problem and six use-after-free memory problems. Google has been working to improve memory security in Chrome for more than a year, including by switching from C++ to the Rust compiler.

The 14 medium-severity vulnerabilities include insufficient policy enforcement issues, insufficient validation of unreliable input errors, inappropriate implementation errors, and use-after-free usage flaws.

Google developers released an urgent fix for Chrome 108.0.5359.94. It addresses CVE-2022-4262, a “Type Confusion in V8” vulnerability that affects all versions of the browser on all platforms. There is already a working exploit for this vulnerability, so we recommend that you update your Chrome browser as soon as possible.

Google will not publish details about the vulnerability and exploit until most users’ browsers are updated, and rightly so. What we do know is that “Type Confusion in V8” vulnerabilities are related to the browser’s JavaScript engine. Accordingly, it is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device. For example, a remote attacker could exploit heap corruption through a crafted HTML page in order to steal data from the affected devices or to create botnets to perform distributed denial-of-service (DDoS) attacks, mine cryptocurrency, or send spam.

This fix addresses the ninth zero-day vulnerability in the browser this year. Moreover, it continues an odd pattern of Google fixing a zero-day vulnerability soon after a regular release.

Mozilla Firefox

Mozilla has released Firefox 107, which fixed 19 CVEs. Nine of them have a high severity rating; they include a memory security bug, use-after-free memory usage issues that could lead to information disclosure, and a vulnerability that enables bypassing full-screen notifications that can lead to spoofing attacks, crashes, or remote code execution (RCE).

The medium-severity CVEs include problems can lead to security bypass, cross-site tracing, code execution, compromise through file uploads, keystroke leaks, and spoofing attacks.

Some vulnerabilities affect only Firefox for Android, while others affect all Unix-based operating systems.

Many of the bugs have also been fixed in Thunderbird with the release of version 102.5.

Although attackers have focused more on Chrome than Firefox in the past, the popularity of Firefox among users makes it a tempting target.

Two critical vulnerabilities (CVE-2022-26485 and CVE-2022-26486) have already been used in attacks, so update Firefox as soon as possible.

Avast

A high-severity vulnerability (CVE-2022-4173) with a CVSS score of 6.3 was found in Avast antivirus software. It affects the Malware Removal Handler component.

Another high-severity bug is CVE-2022-4291. The aswjsflt.dll library contains a potentially exploitable heap corruption vulnerability that could enable an attacker to bypass the sandbox of the application it was loaded into. While the attack can be initiated remotely, no exploit is available and, according to VulDB, the the likelihood of its exploitation by threat actors is below average. This issue was fixed in version 18.0.1478 of the Script Shield Component.

Foxit Reader

Numerous RCE usage bugs have been fixed in Foxit Reader version 12.0.1.124306. Cisco Talos researchers reported four of them, CVE-2022-32774, CVE-2022-38097, CVE-2022-37332, and CVE-2022-40129, to Foxit back in September; they all have a CVSS score of 8.8. To exploit these vulnerabilities, an attacker could need to trick a user into opening a specially crafted PDF document, which could enable reuse of previously freed memory and execution of arbitrary code. Alternatively, if the Foxit browser plugin extension is enabled, the bugs could be triggered when a user navigates to a malicious website.

Users are advised to update Foxit Reader as soon as possible.

VLC Media Player

A recent VLC Media Player update fixes four vulnerabilities that could lead to execution of attacker code when processing specially crafted files or threads. The most dangerous vulnerability is CVE-2022-41325, an integer overflow in the VLC Media Player. By tricking a user into opening a crafted playlist or connecting to a rogue VNC server, an attacker could crash VLC Media Player or execute code.

The other vulnerabilities, which affect mp4 and ogg file formats, are likely to be exploited only to cause a denial of service.

Zoom

Zoom fixed two high-severity vulnerabilities in Zoom Client for Meetings.
The Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6 contains a local privilege escalation vulnerability (CVE-2022-28768). A local, low-privileged user could exploit this vulnerability during the install process to escalate their privileges to root.

Windows 32-bit versions of Zoom Client for Meetings before 5.12.6 and Zoom Rooms for Conference Room before version 5.12.6 are susceptible to a DLL injection vulnerability (CVE-2022-28766). A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of the Zoom client.

We recommend updating Zoom as soon as possible.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Get started today and use Action1 on 100 endpoints free of charge with no functionality limitations.

Webinar Recording: December 2022 Vulnerability Digest from Action1