Microsoft on Tuesday rolled out its monthly security updates with fixes for 51 vulnerabilities across its software line-up consisting of Windows, Office, Teams, Azure Data Explorer, Visual Studio Code, and other components such as Kernel and Win32k.
Among the 51 defects closed, 50 are rated Important and one is rated Moderate in severity, making it one of the rare Patch Tuesday updates without any fixes for Critical-rated vulnerabilities. This is also in addition to 19 more flaws the company addressed in its Chromium-based Edge browser.
None of the security vulnerabilities are listed as under active exploit, while of the flaws — CVE-2022-21989 (CVSS score: 7.8) — has been classified as a publicly disclosed zero-day at the time of the release. The issue concerns a privilege escalation bug in Windows Kernel, with Microsoft warning of potential attacks exploiting the shortcoming.
“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment,” the company noted in its advisory. “A successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”
Also resolved are a number of remote code execution vulnerabilities affecting Windows DNS Server (CVE-2022-21984, CVSS score: 8.8), SharePoint Server (CVE-2022-22005, CVSS score: 8.8), Windows Hyper-V (CVE-2022-21995, CVSS score: 5.3), and HEVC Video Extensions (CVE-2022-21844, CVE-2022-21926, and CVE-2022-21927, CVSS scores: 7.8).
The security update also remediates a Azure Data Explorer spoofing vulnerability (CVE-2022-23256, CVSS score: 8.1), two security bypass vulnerabilities each impacting Outlook for Mac (CVE-2022-23280, CVSS score: 5.3) and OneDrive for Android (CVE-2022-23255, CVSS score: 5.9), and two denial-of-service vulnerabilities in .NET (CVE-2022-21986, CVSS score: 7.5) and Teams (CVE-2022-21965, CVSS score: 7.5).
Microsoft also said it remediated multiple elevation of privilege flaws — four in the Print Spooler service and one in the Win32k driver (CVE-2022-21996, CVSS score: 7.8), the latter of which has been labeled “Exploitation More Likely” in light of a similar vulnerability in the same component that was patched last month (CVE-2022-21882) and has come since under active attack.
The updates arrive as the tech giant late last month republished a vulnerability dating back to 2013 — a signature validation issue affecting WinVerifyTrust (CVE-2013-3900) — noting that the fix is “available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013.”
The move may have been spurred in response to an ongoing ZLoader malware campaign that, as uncovered by Check Point Research in early January, was found leveraging the flaw to bypass the file signature verification mechanism and drop malware capable of siphoning user credentials and other sensitive information.
Software Patches from Other Vendors
Besides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting —