Patch Tuesday – February 2022

Today is Patch Tuesday, the second Tuesday of each month when Microsoft and other vendors release regularly scheduled security updates for all their products. This month Microsoft patches 70 vulnerabilities, including 19 updates from Google for Chrome included in the open-source Chromium which Microsoft Edge is built on. This month there are no critical vulnerabilities patched by Microsoft making this the first Patch Tuesday in years without at least one. There is a total of 50 important vulnerabilities and one medium. Of the 19 updates to Chromium originally sourced in the Chrome 98 release from February 1, 2022, Google rated 8 as high, 10 medium, and one low.

Last year we saw several Print Spooler privilege escalation vulnerabilities,  starting with Print Nightmare, a privilege escalation vulnerability that was later upgraded to a remote code execution (RCE) vulnerability. Microsoft seems to still be auditing the Windows Print Spooler since this month they released patches for four new Print Spooler privilege escalation vulnerabilities, CVE-2022-21999, CVE-2022-22718, CVE-2022-21997, and CVE-2022-22717.

Privilege escalation is a common theme this month, with a total of 18 of the 51 vulnerabilities patched by Microsoft (discounting the 19 Chromium updates) this month are related to elevation of privileges, including a win32k privilege escalation vulnerability (CVE-2022-21996). Last month Microsoft released a path for another win32 privilege escalation vulnerability (CVE-2022-21882) that threat actors have been actively exploiting.

The most serious vulnerabilities this month include two RCE vulnerabilities. One is an RCE in the Windows DNS server (CVE-2022-21984). Last year in February’s Patch Tuesday release, Microsoft had patched another RCE in their DNS server (CVE-2021-24078), though that vulnerability was more severe with a CVSS score of 9.8 and a Critical rating. This month’s DNS RCE has a CVSS score of 8.8 and is rated Important. The lower CVSS score is due to the fact that exploitation of CVE-2022-21984 is less likely since it does not work in a default configuration but you must enable dynamic updates for it to work.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.

KB Article

Applies To

5010342

Windows 10, version 20H2, Windows Server, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2

5010351

Windows 10, version 1809, Windows Server 2019

5010354

Windows Server 2022

5010384

Windows Server 2008 (Monthly Rollup)

5010392

Windows Server 2012 (Monthly Rollup)

5010395

Windows 8.1, Windows Server 2012 R2 (Security-only update)

5010403

Windows Server 2008 (Security-only update)

5010404

Windows 7, Windows Server 2008 R2 (Monthly Rollup)

5010412

Windows Server 2012 (Security-only update)

5010419

Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

5010422

Windows 7, Windows Server 2008 R2 (Security-only update)

5002135

SharePoint Server 2019

The CRU has been reviewing the data from today’s Patch Tuesday and obtained a few PoCs for some. We will release any new detection content based on these vulnerabilities that we develop as they become available.

Microsoft Disabled VBA Macros

In other Microsoft-related news, yesterday Microsoft released a notice on the Microsoft 365 Blog that, “VBA macros obtained from the internet will now be blocked by default,” in Microsoft Access, Excel, PowerPoint, Visio, and Word running on Windows. This change will take effect in Office version 2203 with the preview version set to be released in April 2022.

For years, threat actors have used malicious VBA macros embedded in Office documents as a means for initial access via phishing campaigns. Even though the current behavior is to disable Macros and advise users that they are unsafe, a user can easily bypass this restriction by clicking “Enable Content” in the warning that appears.

Patch Tuesday Feb 2022.png

The new default behavior will be to disable macros and display a message that they pose a security risk with a “Learn More” button.

The “Learn More” button will take a user to an article that discusses the dangers of macros and why they have been blocked along with instructions on how to enable them if they are absolutely needed.

Malicious macros in Office documents sent via phishing is still one of the top methods used by threat actors for initial access so this change will drastically reduce the attack surface for most organizations.

In similar news, at the end of last week, Microsoft announced in their IT Pro Blog that they are temporarily disabling the MSIX protocol to help stop malicious activity related to CVE-2021-43980. The MSIX protocol was used by the App Installer to install apps directly from a web server. However, the vulnerability will allow a malicious app to spoof a legitimate app and install malicious code instead. Microsoft says they are working on a fix and hope to enable the feature as soon as possible.