LackyVis - stock.adobe.com
Microsoft serves up three zero-days on March Patch Tuesday
Three zero-days pop up in Microsoft’s March update, along with a number of other noteworthy concerns for defenders
Microsoft has issued fixes for a total of 71 common vulnerabilities and exposures (CVEs), among them three zero-day flaws, and three critically rated bugs, in its latest monthly Patch Tuesday drop.
None of the identified zero-days are being actively exploited although clearly all have been publicly disclosed. They are, in ascending order of severity: CVE-2022-24512, a remote code execution (RCE) vulnerability in .NET and Visual Studio; CVE-2022-24459, an elevation of privilege (EOP) vulnerability in the Windows Fax and Scan service; and CVE-2022-21990, an RCE vulnerability in Remote Desktop Client.
While the March release saw a substantial uptick in vulnerability volumes on a month-by-month basis, critical vulnerabilities continued their downward trend, observed Automox product strategy vice-president Paul Zimski.
“Thankfully for all IT technicians, there’s been a downward trend in critical vulnerabilities to address in the past couple of months. February’s Patch Tuesday was mild with zero critical vulnerabilities, and this month’s Patch Tuesday is lighter with three critical vulnerabilities, a 54% reduction from the 12-month rolling average,” said Zimski.
The three critical vulnerabilities are CVE-2022-22006, CVE-2022-24501, and CVE-2022-23277, all RCE flaws in HEVC Video Extensions, VP9 Video Extensions, and Exchange Server respectively.
Other noteworthy vulnerabilities this month include two other bugs in Remote Desktop Client, CVE-2022-23285 and CVE-2022-24503, which Kev Breen of Immersive Labs said reflected the expansion of the attack surface presented by remote desktop protocol (RDP) due to remote working volumes remaining high.
“[They] are a potential concern as this infection vector is commonly used by ransomware actors. While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority,” said Breen.
Breen also identified CVE-2022-24508 of being worthy of increased attention. This RCE in Windows SMB v3 could be exploited as a component of lateral movement, although successful exploitation requires a valid set of credentials.
Additionally, he said, three EOP bugs, CVE-2022-23286, CVE-2022-24507 and CVE-2022-23299 could also be used as “connective tissue” in a multi-stage attack. “Addressing these will stop a potentially limited incursion becoming more serious,” said Breen.
Bear in the room
The elephant – bear might be more accurate – in the room this month is, of course, Russian dictator Vladimir Putin’s war on Ukraine, the cyber dimension of which has security teams understandably jumpy – even though the immediate threat to organisations outside Ukraine is still considered minimal for most.
Zimski at Automox said it was understandable tensions were running high, particularly following the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Shields Up alert. “Organisations should take advantage of this general reprieve in critical vulnerabilities to take stock in their overall posture and catch up on any tech debt from previously missed SLAs,” he said.
“It’s important that businesses view securing their infrastructure through the lens of action and assess their ability to move both quickly and efficiently with their current process and technology stacks.”
N-able head security nerd Lewis Pope added: “Patch Tuesday for March of 2022 arrives during a shifting landscape of geopolitical machinations that have cyber security defenders on edge. Now is a great time to audit environments to make sure you don’t have unpatched or unsupported appliances or software still in production.
“C-suites and other decision-makers might have a newfound interest in pushing for cyber security improvements, be mindful not to let this new pressure compel cramming months of security and infrastructure improvements into a few days.
“A sound foundation of the basics to build on first– (MFA [multi-factor authentication], an endpoint detection and response solution on all workstations and servers, and robust patch management – can significantly improve defensive capabilities of environments in a more timely manner.”
Read more about Patch Tuesday
- It’s a light Patch Tuesday for February 2022, as Microsoft issues fixes for just 48 CVEs, including a solitary zero-day.
- A larger than of late Patch Tuesday update from Microsoft comes as defenders continue to grapple with Log4Shell.
- December’s Patch Tuesday update from Microsoft contains several critical CVEs, but this month all attention is focused on the fallout from Log4Shell, and burn-out is becoming a real issue.