MR - stock.adobe.com
Microsoft has issued patches to address a total of 48 vulnerabilities in its monthly Patch Tuesday update, including one lone zero-day that is yet to be exploited in the wild. The February update is one of the lightest seen since the summer of 2021, but this is not necessarily out of the ordinary given that it follows a hefty January drop.
Even so, it is perhaps more notable for not being nearly as severe as usual, as Recorded Future senior security architect Allan Liska noted. “There were no vulnerabilities reported that Microsoft has seen exploited in the wild, and in an unusual statement for Patch Tuesday, none of the vulnerabilities disclosed this month have been rated as critical by Microsoft,” he said.
“Perhaps more important is the new cumulative updates for this month should ease frustration for teams that are still deferring updates from January due to multiple complications,” said Lewis Pope, head security nerd at N-able. “The new CUs should help teams get caught up and back in compliance with their patch management controls.”
Kev Breen, director of cyber threat research at Immersive Labs, said: “January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to reissue updates to fix some unexpected issues caused by the updates. This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered roll-out, and why monitoring for any adverse impacts should always be a key step in your patching policy.”
The disclosed zero-day is tracked as CVE-2022-21989 and is an elevation of privilege vulnerability in the Windows Kernel affecting Windows 7 through 11 and Windows Server 2008 through 2022. It carries a CVSS rating of 7.8 and is not thought particularly easy to exploit.
Tenable staff research engineer Satnam Narang explained: “The complexity to exploit [this] vulnerability is high because of the added legwork required to prepare the target – this type of vulnerability is often leveraged by an attacker once they’ve already compromised the target.”
Nevertheless, despite the lower-than-usual rating for a publicly disclosed zero-day, it is highly likely it will be exploited in short order, as Ivanti product management vice-president Chris Goettl explained: “Exploit code maturity is at proof-of-concept; this means that much of the initial investigative work for a weaponised exploit has already been done, and details could be publicly available to threat actors.”
Read more about Patch Tuesday
- A larger than of late Patch Tuesday update from Microsoft comes as defenders continue to grapple with Log4Shell.
- December’s Patch Tuesday update from Microsoft contains several critical CVEs, but this month all attention is focused on the fallout from Log4Shell, and burn-out is becoming a real issue.
- Another relatively light Patch Tuesday drop from Microsoft addresses 55 vulnerabilities, two of them already being exploited.
Some of the other more noteworthy vulnerabilities this month include CVE-2022-21984, a remote code execution vulnerability in Windows DNS Server affecting Windows 10 and 11, and Server 2022, but only if they have dynamic updates enabled; and CVE-2022-22005, a remote code execution vulnerability in Sharepoint Server affecting versions 2013-19 and Subscription Edition, which requires a malicious actor to be authenticated on their target system to be exploited.
There are also four new privilege escalation vulnerabilities in Windows Print Spooler – one of them credited to the same Chinese team who uncovered the PrintNightmare nightmare last year. These should be prioritised as the high-profile nature of PrintNightmare continues to attract the attention of both ethical and malicious hackers.
Breen at Immersive Labs observed: “Is it really Patch Tuesday if we don’t talk about a vulnerability in the Windows Print Spooler Components? This month sees four new CVEs related to this heavily exploited component: CVE-2022-21999, CVE-2022-22718, CVE-2022-21997, and CVE-2022-22717.
“They are all listed as elevation of privilege, which forms a key part of the attack chain. Once initial access has been gained, attackers will quickly seek to gain administrator level access so they can move across the network, compromise other devices and avoid detection by disabling security tooling.”