MDRAddress the growing frequency, type, and severity of cyber threats against SMB endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
Cloud App SecurityMonitor and manage SaaS security risks for the entire Microsoft 365 environment.
SASEZero trust secure access for users, locations, and devices
Enterprise-grade SOCProvide 24/7 threat monitoring and response backed by proprietary threat research and intelligence and certified cyber experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Patch Tuesday – December 2022
December 13, 2022 by Bryson Medlock
Today is once again Patch Tuesday, the second Tuesday of the month when Microsoft and other vendors push out security updates to their products. This month, Microsoft has released 49 security updates for their products. Of the 49 released by Microsoft, six are rated with a severity of Critical, 42 as Important, and one as Moderate. One of the Important vulnerabilities has already been publicly disclosed and one has been observed being exploited in the wild, also known as zero-day vulnerabilities. All six of the Critical vulnerabilities patched this month are for Remote Code Execution (RCE) vulnerabilities.
One vulnerability in this month’s Patch Tuesday has been previously disclosed, CVE-2022-44710, a DirectX Graphics Kernel Elevation of Privilege Vulnerability. This vulnerability requires an attacker to win a race condition making this less likely to be exploited. If an attack succeeds, an attack who already has limited access to a system can gain SYSTEM level permissions to that system, giving them full control. AppContainer Isolation is a Windows feature that isolates an application from unneeded resources or other applications inside an isolated execution environment. This vulnerability could allow an attacker to escape a contained execution environment.
Microsoft Defender SmartScreen is a Microsoft Defender feature in Windows 10, Windows 11, and Microsoft Edge that warns you if a site you are visiting or a file you are downloading matches a list of known bad sites. The one vulnerability disclosed this month that has previously been seen exploited in the wild is CVE-2022-44698, a Windows SmartScreen bypass. An attacker would need to convince their target to access a malicious URL through phishing or some other method to exploit this vulnerability. They could then use this to bypass the Defender SmartScreen feature and evade the Mark of the Web (MotW), thus bypassing other security features such as Protected View in Microsoft Office. This vulnerability has previously been seen used by Qbot to distribute Magniber ransomware.
There are six Critical RCE vulnerabilities patched this month. CVE-2022-41076 is a vulnerability in PowerShell that would allow an authenticated user to run unapproved commands on a system. CVE-2022-41127 is a RCE vulnerability in the on-premises version of Microsoft’s ERP system Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Center that would allow an authenticated user to execute arbitrary code on the server in the context of the service account Dynamics has been configured to use. There are two critical RCE vulnerabilities patched this month for the Windows VPN tunneling protocol Secure Socket Tunneling Protocol (SSTP), CVE-2022-44670 and CVE-2022-44676. Both vulnerabilities require an attacker send a maliciously crafted packet to a Remote Access Server (RAS) and then win a race condition. The last two Critical vulnerabilities patched this month are both RCE vulnerabilities in Microsoft SharePoint, CVE-2022-44690 and CVE-2022-44693. Both of these RCE vulnerabilities require an attacker first be authenticated, then an authenticated attacker with the Manage List permissions could remotely execute code on the SharePoint server.
For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.
|KB Article||Applies To|
|5021233||Windows 10, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2, Windows 10, version 22H2|
|5021234||Windows 11 version 21H2|
|5021237||Windows Server 2019|
|5021255||Windows 11 version 22H2|
|5021285||Windows Server 2012 (Monthly Rollup)|
|5021288||Windows 7, Windows Server 2008 R2 (Security-only update)|
|5021289||Windows Server 2008 (Monthly Rollup)|
|5021291||Windows 7, Windows Server 2008 R2 (Monthly Rollup)|
|5021293||Windows Server 2008 (Security-only update)|
|5021294||Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)|
|5021296||Windows 8.1, Windows Server 2012 R2 (Security-only update)|
|5021303||Windows Server 2012 (Security-only update)|
|5020880||.NET core and .NET Framework, Change in how WPF-based applications render XPS documents|