Microsoft released software updates on Tuesday to close at least 70 security holes in its the Windows operating systems and related software. For the second month in a row, there are no scary zero-day threats for Windows users (as far as we know) and relatively few “critical” patches. And yet, we know from experience that attackers are already trying to figure out how to turn these patches into a roadmap to exploit the flaws they fix. Here’s a look at the security weaknesses that Microsoft says are most likely to be targeted first.
Greg Wisemanproduct manager at Quick7, notes that three vulnerabilities patched this month have already been disclosed, potentially giving attackers a head start in figuring out how to exploit them. These include remote code execution bugs CVE-2022-24512, affecting .REPORT and VisualStudioand CVE-2022-21990, affecting Remote Desktop Client. CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated Important by Microsoft.
Only three of this month’s patches have earned Microsoft the “Criticalwhich Redmond attributes to bugs that can be exploited to remotely compromise a Windows PC with little or no help from users. Two of these critical flaws relate to Windows video codecs. Perhaps the most concerning critical bug that was quashed this month is CVE-2022-23277, a remote code execution flaw affecting Microsoft Exchange Server.
“Fortunately, this is a post-authentication vulnerability, which means attackers need credentials to exploit it,” Wiseman said. “While passwords can be obtained through phishing and other means, this one shouldn’t be exploited as massively as the deluge of Exchange vulnerabilities we’ve seen throughout 2021. Exchange admins should still patch as soon as reasonably possible.”
CVE-2022-24508 is a remote code execution bug affecting Windows SMBv3the technology that manages file sharing in Windows environments.
“This has the potential for widespread exploitation, assuming an attacker can set up a suitable exploit,” Wiseman said. “Fortunately, like this month’s Exchange vulnerabilities, this also requires authentication.”
Kevin BreenDirector of Cyber Threat Research at Immersive labsdrew attention to a trio of bugs fixed this month in the Windows Remote Desktop Protocol (RDP), which is a favorite target of ransomware groups.
“CVE-2022-23285, CVE-2022-21990, and CVE-2022-24503 are a potential concern, especially since this infection vector is commonly used by ransomware actors,” Breen said. “While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough risk to be a priority.”
March Patch Tuesday also brings an unusual update (CVE-2022-21967) which may well be the first security patch involving Microsoft. Xbox device.
“This appears to be the first security patch specifically affecting Xbox,” said Dustin Childs from Trend Micro Zero Day Initiative. “There was a notice for an Xbox Live certificate inadvertently leaked in 2015, but this appears to be the first security-specific update for the device itself.”
Also on Tuesday, Adobe released updates fixing six vulnerabilities in Adobe Photoshop, Illustrator and Side effects.
For a full rundown of all patches released by Microsoft today, and indexed by severity and other metrics, see the always-helpful Patch Tuesday summary of the Internet Storm Center WITHOUT. And it’s not a bad idea to delay the update for a few days until Microsoft fixes the issues in the updates: AskWoody.com usually has the list of patches that can cause problems for users of Windows.
As always, consider backing up your system or at least your important documents and data before applying system updates. And if you have any issues with these fixes, please let us know here in the comments.