mdbildes - stock.adobe.com
Microsoft fixes two zero-days in final Patch Tuesday of 2022
December’s Patch Tuesday is typically a light month for Microsoft, and this year proved no exception, but there are still several critical issues worth addressing, and two zero-days for defenders to pore over
Microsoft has rounded off 2022 with a typically light Patch Tuesday for December, with a total of 52 patches addressing six critical vulnerabilities and two zero-days of lesser severity.
The two zero-day bugs are tracked as CVE-2022-44698, a security feature bypass vulnerability in Windows SmartScreen, which carries a CVSS score of 5.4 and is rated of moderate severity; and CVE-2022-44710, an elevation of privilege (EoP) vulnerability in the DirectX Graphics Kernel, which carries a CVSS score of 7.8 and is rated of important severity.
Of these, the Windows SmartScreen vulnerability is known to be exploited in the wild but has not previously been publicly disclosed, whereas the opposite is true of the DirectX Graphics Kernel vulnerability.
Assessing the impact of the two zero-days, Satnam Narang, senior staff research engineer at Tenable, said: “Windows SmartScreen [is] a feature built-in to Windows that works with its Mark of the Web (MOTW) functionality that flags files downloaded from the internet. Depending on how MOTW flags a file, SmartScreen will perform a reputation check.
“This vulnerability can be exploited in multiple scenarios, including through malicious websites and malicious attachments delivered over email or messaging services. They require a potential victim to visit the malicious website or open a malicious attachment to bypass SmartScreen.
“Microsoft confirmed this vulnerability has been exploited in the wild. This flaw was credited to security researcher Will Dormann, who was credited with disclosing CVE-2022-41049, a security feature bypass in MOTW in the November Patch Tuesday release.
“The second zero-day in the December Patch Tuesday release … was publicly disclosed prior to a patch being made available. It is considered to be a flaw that is less likely to be exploited based on Microsoft’s Exploitability Index,” he added.
The six critical vulnerabilities all lead to remote code execution (RCE) on the victim system if successfully exploited. They are:
- CVE-2022-41076, in PowerShell.
- CVE-2022-41127, in Microsoft Dynamics NAV and Dynamics 365 Business Central (On-Prem).
- CVE-2022-44670, in the Windows Secure Socket Tunnelling Protocol (SSTP).
- CVE-2022-44676, also in the Windows SSTP.
- CVE-2022-44690, in Microsoft SharePoint Server.
- CVE-2022-44693, also in Microsoft SharePoint Server.
Commenting on some of the more impactful critical vulnerabilities, Kev Breen, director of cyber threat research at Immersive Labs, said the PowerShell vulnerability in particular looked troublesome.
“While Microsoft doesn’t share much detail about this vulnerability outside of ‘exploitation more likely’, it is listed as remote code execution, and they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment,” said Breen.
“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access. This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files,” he added.
“Social engineering attacks are commonly seen targeting employees at all levels of an organisation. While it’s true that some users can be a weak link in cyber security, they are also the first line of defence. It is important to upskill workforces, so they have the capabilities and judgement to avoid such attacks.”
Breen also flagged the two SharePoint Server vulnerabilities as priorities, saying any such bugs should be high on the list for anybody using SharePoint internally.
“This vulnerability could affect organisations that use SharePoint for internal wikis or document stores. Attackers might exploit [it] to steal confidential information to use in ransomware attacks, replace documents with new versions that contain malicious code, or create macros to affect other systems,” he said.
Of course, a 2022 Patch Tuesday update would not be a 2022 Patch Tuesday update without a fix for a vulnerability in the Windows Print Spooler, and Microsoft obliged in December with CVE-2022-44678, an EoP vulnerability that would be exploited to give an attacker system privileges, but only locally.
“Windows Print Manager has been a target for attackers since PrintNightmare was exposed more than a year ago,” said Mike Walters, vice-president of vulnerability and threat research at Action1.
“We have encountered vulnerabilities of this sort almost every month after that. Similarly, this flood of patches is likely to continue after CVE-2022-44678.
“IT teams should take the risk from vulnerabilities in Print Spooler very seriously because the Windows Print Manager apparently has many flaws. Therefore, if you do not use it, disable it, even if it has all the latest patches installed. Attackers will keep digging this rabbit hole on and on,” he said.