Microsoft Patch Tuesday, March 2022 Edition – Krebs on Security
Microsoft released software updates on Tuesday to close at least 70 security holes in its the Windows operating systems and related software. For the second month in a row, there are no scary zero-day threats for Windows users, and relatively few “critical” patches. And yet, we know from experience that attackers are already trying to figure out how to turn these patches into a roadmap to exploit the flaws they fix. Here’s a look at the security weaknesses that Microsoft says are most likely to be targeted first.
Greg Wisemanproduct manager at Quick7, notes that three vulnerabilities patched this month have already been disclosed, potentially giving attackers a head start in figuring out how to exploit them. These include remote code execution bugs CVE-2022-24512affecting .REPORT and VisualStudioand CVE-2022-21990affecting Remote Desktop Client. CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. The three publicly disclosed vulnerabilities are rated “Important” by Microsoft.
Only three of this month’s patches have earned Microsoft the “Criticalwhich Redmond attributes to bugs that can be exploited to remotely compromise a Windows PC with little or no help from users. Two of these critical flaws relate to Windows video codecs. Perhaps the most concerning critical bug that was rolled back this month is CVE-2022-23277a remote code execution flaw affecting Microsoft Exchange server.
“Fortunately, this is a post-authentication vulnerability, which means attackers need credentials to exploit it,” Wiseman said. “While passwords can be obtained through phishing and other means, this one shouldn’t be exploited as massively as the deluge of Exchange vulnerabilities we’ve seen throughout 2021. Exchange admins should still patch as soon as reasonably possible.”
CVE-2022-24508 is a remote code execution bug affecting Windows SMB v3the technology that manages file sharing in Windows environments.
“This has the potential for widespread exploitation, assuming an attacker can set up an appropriate exploit,” Wiseman said. “Fortunately, like this month’s Exchange vulnerabilities, this also requires authentication.”
Kevin BreenDirector of Cyber Threat Research at Immersive labsdrew attention to a trio of bugs fixed this month in the Windows Remote Desktop Protocol (RDP), which is a favorite target of ransomware groups.
“CVE-2022-23285, CVE-2022-21990 and CVE-2022-24503 are a potential concern, especially since this infection vector is commonly used by ransomware actors,” Breen said. “While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough risk to be a priority.”
March Patch Tuesday also brings an unusual update (CVE-2022-21967) which may well be the first security patch involving Microsoft Xbox device.
“This appears to be the first security patch specifically affecting Xbox,” said Dustin Childs from Trend Micro Zero Day Initiative. “There was a notice for an inadvertently leaked Xbox Live certificate back in 2015, but this appears to be the first security-specific update for the device itself.”
Also Tuesday, Adobe published updates address six vulnerabilities in Adobe Photoshop, Illustrator and Side effects.
For a complete overview of all fixes released by Microsoft today, and indexed by severity and other metrics, see the Always useful the Patch Tuesday overview from Internet Storm Center WITHOUT. And it’s not a bad idea to delay the update for a few days until Microsoft fixes the issues in the updates: AskWoody.com usually has the list of patches that may cause problems for Windows users.
As always, consider backing up your system or at least your important documents and data before applying system updates. And if you have any issues with these fixes, please leave a note about it here in the comments.