Microsoft December 2022 Patch Tuesday: Two Zero-Day Bugs and Six Critical Flaws Fixed
Patch Tuesday is the second Tuesday of each month, during which Microsoft releases security updates for their software. These updates are intended to fix vulnerabilities that have been discovered in the software, and they are an important tool for keeping your computer and data safe. Microsoft released December 2022 Patch Tuesday which will address Two Zero-Day Bugs and Six Critical Flaws.
The total number of patches for 2022 already exceeds 1,250, giving it the second-highest annual patch load for the company; December has the lowest patch load of the year. Even though this month’s Patch Tuesday wasn’t as significant as usual, HighGround.io CEO Mark Lamb said on Spiceworks, we are still closing out the year with a bang.
Two zero-day vulnerabilities and six serious issues permit, among other things, remote code execution, privileged access, and denial of service. Since this is an essential upgrade, firms must adopt the modifications immediately. Patch Tuesday in December saw the release of 53 patches, with 6 classifieds as critical, 43 as major, and 3 as very severe. Microsoft patched two zero-day vulnerabilities, one of which was being abused in the wild.
Zero-Day vulnerability fixes in December Patch Tuesday
CVSS rating for CVE-2022-44698 Opens in a new window is only moderately vulnerable (5.4), but it must be corrected immediately since it is being actively exploited. Mike Walters, vice president of vulnerability and threat research at Action1, assigned this zero-day a CVSS risk score of 5.4 due to the fact that it simply circumvents Microsoft’s Defender SmartScreen protection mechanism and has no remote code execution or denial of service capabilities.
It does need human cooperation; attackers must trick a victim into accessing a malicious website using phishing emails or other types of social engineering in order to defeat the security feature. Threat actors may create malicious files that circumvent Mark of the Web (MOTW) protections, resulting in a slight loss of integrity and preventing the use of security features that depend on MOTW tagging, such as Microsoft Office’s “Protected View.
Similar to CVE-2022-41091, another zero-day vulnerability that was patched in January’s Patch Tuesday release. Neither earned a very high CVSS score but considering that a socially engineered user might access malicious files that circumvent Web security systems, we recommend updating it within 24 hours.
Vulnerabilities patches on December Patch Tuesday
Both CVE-2022-44690 and CVE-2022-44693 (CVSS 8.8) provide remote code execution in SharePoint versions beginning with MS SharePoint Enterprise Server 2013 SP 1. Exploiting network vectors [CVE-2022-44693] is straightforward and does not need escalated privileges. According to Walters, by default, all SharePoint users have access to the basic user account with Manage List rights, making it simple for attackers to exploit the system. An attacker may exploit this vulnerability to take control of a compromised SharePoint server and remotely execute arbitrary code without user interaction.
According to Walters, CVE-2022-41089 is a vulnerability in the.NET Framework (CVSS score 8.8) affecting versions 3.5 to 4.8. It utilizes the network vector, is not too complex, and does not need privilege escalation. Microsoft did not give it a perfect score since users must interact with the attacker environment, such as via visiting a rogue website.
Windows PowerShell Remote Code Execute Vulnerability CVE-2022-41076 is simple to attack and needs no user intervention (CVSS score 8.5). Windows 7, 8.1, 10, and 11; Windows Server 2008 R2 and later; and PowerShell 7.2 and 7.3 are supported.
iOS Vulnerability Fix
In addition to the patches issued on December Patch Tuesday, Apple announced an actively exploited zero-day vulnerability in iOS. Apple released a security update for iOS 16.1.2 around two weeks ago that resolved the issue.
Clément Lecigne of Google’s Threat Analysis Group uncovered a security vulnerability in WebKit, the web rendering engine used by the Safari browser and other applications (CVE-2022-42856 Opens a new window). “It is possible to execute arbitrary code when parsing maliciously generated web content.
Apple claims that iOS 15.1 is incompatible with CVE-2022-42856. However, the business has provided security fixes for almost all devices. A contemporary device must operate one of the following operating system versions: All of the following operating systems are supported: Mac OS X Ventura 13.1, macOS Monterey 12.6.2, macOS Big Sur 11.7.2, tvOS 16.2, watchOS 9.2, iOS 16.2, iPadOS 16.2, iOS 15.7.2, iPadOS 15.7.2, tvOS 16.2, and watchOS 9.2.