Patch Tuesday – December 2022

Today is once again Patch Tuesday, the second Tuesday of the month when Microsoft and other vendors push out security updates to their products. This month, Microsoft has released 49 security updates for their products. Of the 49 released by Microsoft, six are rated with a severity of Critical, 42 as Important, and one as Moderate. One of the Important vulnerabilities has already been publicly disclosed and one has been observed being exploited in the wild, also known as zero-day vulnerabilities. All six of the Critical vulnerabilities patched this month are for Remote Code Execution (RCE) vulnerabilities.

One vulnerability in this month’s Patch Tuesday has been previously disclosed, CVE-2022-44710, a DirectX Graphics Kernel Elevation of Privilege Vulnerability. This vulnerability requires an attacker to win a race condition making this less likely to be exploited. If an attack succeeds, an attack who already has limited access to a system can gain SYSTEM level permissions to that system, giving them full control. AppContainer Isolation is a Windows feature that isolates an application from unneeded resources or other applications inside an isolated execution environment. This vulnerability could allow an attacker to escape a contained execution environment.

Microsoft Defender SmartScreen is a Microsoft Defender feature in Windows 10, Windows 11, and Microsoft Edge that warns you if a site you are visiting or a file you are downloading matches a list of known bad sites. The one vulnerability disclosed this month that has previously been seen exploited in the wild is CVE-2022-44698, a Windows SmartScreen bypass. An attacker would need to convince their target to access a malicious URL through phishing or some other method to exploit this vulnerability. They could then use this to bypass the Defender SmartScreen feature and evade the Mark of the Web (MotW), thus bypassing other security features such as Protected View in Microsoft Office. This vulnerability has previously been seen used by Qbot to distribute Magniber ransomware.

There are six Critical RCE vulnerabilities patched this month. CVE-2022-41076 is a vulnerability in PowerShell that would allow an authenticated user to run unapproved commands on a system. CVE-2022-41127 is a RCE vulnerability in the on-premises version of Microsoft’s ERP system Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Center that would allow an authenticated user to execute arbitrary code on the server in the context of the service account Dynamics has been configured to use. There are two critical RCE vulnerabilities patched this month for the Windows VPN tunneling protocol Secure Socket Tunneling Protocol (SSTP), CVE-2022-44670 and CVE-2022-44676. Both vulnerabilities require an attacker send a maliciously crafted packet to a Remote Access Server (RAS) and then win a race condition. The last two Critical vulnerabilities patched this month are both RCE vulnerabilities in Microsoft SharePoint, CVE-2022-44690 and CVE-2022-44693. Both of these RCE vulnerabilities require an attacker first be authenticated, then an authenticated attacker with the Manage List permissions could remotely execute code on the SharePoint server.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.