Microsoft Patches 92 Vulnerabilities in March 2022 Patch Tuesday including 3 Zero-days

Microsoft has released security fixes for several vulnerabilities including patches for zero-day vulnerabilities in its March 2022 Patch Tuesday. Microsoft addresses 92 vulnerabilities in their March 2022 Patch Tuesday release. Out of these 92 vulnerabilities, three (3) are rated as critical. The release also includes fixes for three (3) publicly disclosed zero-day vulnerabilities. As of this writing, none of this month’s list of vulnerabilities is known to be actively exploited in the wild. 
  
Microsoft has patched several flaws in their software including Denial of Service, Edge – Chromium, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, and Spoofing vulnerabilities.   
  
This month’s advisory covers multiple Microsoft products, including .NET and Visual Studio, Azure Site Recovery, Defender, Edge (Chromium-based), Exchange Server, HEIF Image Extension, HEVC Video Extension, Intune, Microsoft 365 Apps, Office, Paint 3D, Remote Desktop, SMB Server and Windows OS. 
  
The vulnerabilities are classified as:  

  • Spoofing Vulnerabilities: 3 
  • Buffer Overflow Vulnerabilities: 1 
  • Denial of Service Vulnerabilities: 4 
  • Edge – Chromium Vulnerabilities: 21 
  • Elevation of Privilege Vulnerabilities: 25 
  • Information Disclosure Vulnerabilities: 6 
  • Security Feature Bypass Vulnerabilities: 3 
  • Remote Code Execution Vulnerabilities: 29

Three zero-day vulnerabilities fixed in March 2022 Patch Tuesday 

  • CVE-2022-21990: Remote Desktop Client Remote Code Execution Vulnerability 
  • CVE-2022-24459: Windows Fax and Scan Service Elevation of Privilege Vulnerability 
  • CVE-2022-24512: .NET and Visual Studio Remote Code Execution Vulnerability 

Some of the important Microsoft vulnerabilities patched this month: 

  • CVE-2022-24469: Azure Site Recovery Elevation of Privilege Vulnerability 
  • CVE-2022-23277: Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability 
  • CVE-2022-23285: Remote Desktop Client Remote Code Execution (RCE) Vulnerability 
  • CVE-2022-24508: Windows SMBv3 Client/Server Remote Code Execution (RCE) Vulnerability

Visit the March 2022 Security Updates page to access the full description of each vulnerability and the systems that it affects.  
  
Customers can scan their network with QIDs 100417, 110403, 376453, 376454, 50119, 91868, 91869, 91870, 91871, 91872, 91873, 91874, 91875 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities. 
 
References: 
https://msrc.microsoft.com/update-guide/releaseNote/2022-Mar 
https://threatpost.com/microsoft-zero-days-critical-bugsmarch-patch-tuesday/178817/ 
https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2022-patch-tuesday-fixes-71-flaws-3-zero-days/

Leave a Reply

Your email address will not be published. Required fields are marked *