- Microsoft released its Patch Tuesday for December fixing around 50 vulnerabilities, including two zero days and seven critical flaws.
- One of two addressed zero-day vulnerabilities could enable a phishing campaign with a specially crafted .url file that is designed to exploit the bypass.
- This Patch Tuesday comes with fewer updates and patches than any other month’s Patch Tuesday this year.
Microsoft has released its final security update for 2022 Patch Tuesday. It fixes around 50 flaws; 6 vulnerabilities are rated as critical and there are two zero-day bugs. December’s Patch Tuesday is revealed with updates for two zero-day vulnerabilities. One of the two zero-day flaws is being actively exploited, the other one is publicly disclosed. The two addressed zero-day vulnerabilities are CVE-2022-44698 and CVE-2022-44710.
Exploited in the wild
CVE-2022-44698 is described as a Windows SmartScreen security feature bypass vulnerability. It enables attackers to create a malicious file that would evade Mark of the Web (MOTW) defenses. The flaw is resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. It impacts the anti-phishing and anti-malware tool Windows SmartScreen and has been exploited in the wild. The vulnerability was reported by Will Dormann.
The second vulnerability is CVE-2022-44710 which is described as “DirectX graphics kernel elevation of privilege vulnerability”. It allows attackers who successfully exploited this vulnerability could gain SYSTEM privileges. The flaw was reported by system administrator Luka Pribani. Microsoft states that it has not seen any active attacks targeting the flaw.
Six critical vulnerabilities
Alongside the zero days, other notable fixed flaws include 6 critical-severity remote code execution flaws in Microsoft SharePoint Server. Under CVE-2022-44690 and CVE-2022-44693; both allowed an authenticated attacker with Manage List permissions to execute code remotely on the SharePoint Server in a network-based attack. Microsoft considered exploitation to be “less likely.” Other notable fixed vulnerabilities rated critical for December are included;
- CVE-2022-41127: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (on-premises) remote code execution vulnerability.
- CVE-2022-41076: PowerShell remote code execution vulnerability.
- CVE-2022-44670: Windows Secure Socket Tunneling Protocol (SSTP) remote code execution vulnerability.
- CVE-2022-44676: Windows Secure Socket Tunneling Protocol (SSTP) remote code execution vulnerability.
Updated products in December Patch Tuesday
With the December Patch Tuesday, which is the final security update for this year, Microsoft updated the following products, features, and roles:
- .NET Framework
- Azure
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows Codecs Library
- Role: Windows Hyper-V
- SysInternals
- Windows Certificates
- Windows Contacts
- Windows DirectX
- Windows Error Reporting
- Windows Fax Compose Form
- Windows HTTP Print Provider
- Windows Kernel
- Windows PowerShell
- Windows Print Spooler Components
- Windows Projected File System
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SmartScreen
- Windows Subsystem for Linux
- Windows Terminal