Microsoft March 2022 Patch Tuesday: 71 vulnerabilities fixed
Microsoft has released 71 security fixes for software, including 41 patches for Microsoft Windows vulnerabilities, five vulnerabilities in Microsoft Office and two in Microsoft Exchange.
Two of the vulnerabilities are rated critical — CVE-2022-22006 and CVE-2022-24501 — while the rest are rated important.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, denial of service bugs, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits.
None of the vulnerabilities are being actively exploited, but Sophos noted that a public proof-of-concept has been released for CVE-2022-21990.
March’s security update impacted products include Exchange, Visual Studio, the Xbox app for Windows, Intune, Microsoft Defender, Express Logic, Azure Site Recovery, and the Chromium-based Microsoft Edge browser, which had 21 vulnerabilities.
Some of the other vulnerabilities of interest in this update are:
- CVE-2022-24502: Internet Explorer Security Feature Bypass Vulnerability
- CVE-2022-24508: SMB Server Remote Code Execution Vulnerability
- CVE-2022-24512: .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2022-21990: Remote Desktop Client Remote Code Execution Vulnerability
- CVE-2022-23277: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-24459: Windows Fax and Scan Service Elevation of Privilege Vulnerability
Microsoft also announced a slate of updates to Windows 11 on Tuesday.
Recorded Future’s Allan Liska noted that Microsoft labeled CVE-2022-21990 as “Exploitation More Likely” because there is Proof of Concept code publicly available.
“In order to exploit this vulnerability, the attacker must control the Remote Desktop Server that the client is connected to and launch the attack from there,” Liska said.
“We have seen a number of similar vulnerabilities against the Remote Desktop Client over the last few years, none of which have been widely exploited in the wild. Even though previous vulnerabilities of this type have not been widely exploited, that doesn’t mean this one won’t be.”
Liska added that CVE-2022-24501 and CVE-2022-22006 can be exploited if an attacker convinces a victim to download a “specially crafted file” which would crash and exploit the vulnerability when it is opened.
“This is the kind of attack that a sophisticated phishing campaign could easily carry out,” Liska explained.
In February, the tech giant released 48 security fixes for software, including a patch for a zero-day bug but no critical-severity flaws.