Welcome to the final second Tuesday of the year. As expected, Microsoft and Adobe have released their latest security updates and fixes. Take a break from your holiday preparations and join us as we review the details of the latest security patches.
Microsoft Patches for December 2022
In this month’s Patch Tuesday, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure and Azure Real Time Operating System, Microsoft Dynamics; Exchange Server, Office and Office Components, SysInternals, Visual Studio, SharePoint Server, Network Policy Server (NPS), Windows BitLocker, Microsoft Edge (Chromium-based) and Linux Kernel and Open-Source Software. This month’s updates complement two CVEs appointed earlier this month, bringing the December release total to 54 fixes.
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
The December 2022 Microsoft vulnerabilities are classified as follows:
| Vulnerability Type | Quantity | Severities |
|---|---|---|
| Elevation of Privilege Vulnerability | 19 | Important: 19 |
| Remote Code Execution Vulnerability | 24 | Important: 17 Critical: 7 |
| Information Disclosure Vulnerability | 3 | Important: 3 |
| Feature Bypass Vulnerability | 2 | Moderate: 1 Important: 1 |
| Denial of Service Vulnerability | 3 | Moderate: 1 Important: 2 |
| Spoofing Vulnerability | 2 | Moderate: 2 |
| Defense in Depth | 1 | None |
Microsoft addressed 54 vulnerabilities: 2 CVEs on December 5th, 51 new CVEs on December 13th, and one (1) Microsoft Defense in Depth Update ADV220005.
Only one new CVE released this month is listed as exploited in the wild, and one was publicly known by the time this blog was released.
Notable Microsoft Vulnerabilities Patched
CVE-2022-44698 | Windows SmartScreen Security Feature Bypass Vulnerability
This vulnerability has a CVSSv3.1 score of 5.4/10.
This vulnerability is rated as moderate and appears to be related to the Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2022-41091) from last month. Simply, a specially crafted file could be constructed to bypass the Mark of the Web (MOTW) defenses mechanism. It removes the MOTW feature from the file or makes it so that the MOTW isn’t recognized by the security features that Microsoft provides and lets you open files without warnings. This will result in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which relies on MOTW tagging. With the significant number of phishing attacks every day depending on users opening malicious files/attachments, these types of protection are essential to preventing attacks. Patching this vulnerability is highly recommended.
Exploitability Assessment: Exploitation Detected
CVE-2022-44713 | Microsoft Outlook for Mac Spoofing Vulnerability
This vulnerability has a CVSSv3.1 score of 7.5/10.
This security bug is rated as important and a spoofing vulnerability, which we want to emphasize since it relates to email clients. This vulnerability could allow attackers to appear as trusted users when they should not. This could cause a user to mistakenly trust a signed email message as if it came from a legitimate user. If we mix this bug along with above mention Windows SmartScreen Security Feature Bypass (CVE-2022-44698), it will be very destructive. Users could get emails that look like they are coming from trusted users with malicious attachments, and not many users wouldn’t open them.
Exploitability Assessment: Exploitation Less Likely
Microsoft Critical Vulnerability Highlights
CVE-2022-41127 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On-Premises) Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.5/10.
This critical vulnerability affects Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On-Premises). This security flaw that could lead to a scope change allows an authenticated attacker to execute code on the host server (underlying operating system) in the context of the service account Dynamics configured to use. Since the Dynamics NAV opened the port, this could be used to connect with the Windows Communication Foundation (WCF) TCP protocol. As an authenticated user, the attacker could try to trigger malicious code in the context of the server’s account through a network call. Note that any guest-to-host escape should be taken very seriously.
The Potential Impact is HIGH for Confidentiality, Integrity, and Availability.
A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-44690 and CVE-2022-44693 | Microsoft SharePoint Server Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
This critical vulnerability affects Microsoft SharePoint Server. An authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. These two vulnerabilities affect the following version of Microsoft SharePoint:
Microsoft SharePoint Enterprise Server 2013 Service Pack 1 and 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition
Note: The customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013.
The potential impact is HIGH for Confidentiality, Integrity, and Availability.
A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Exploitability Assessment: Exploitation Less Likely
CVE-2022-41076 | PowerShell Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.5/10.
This critical vulnerability affects PowerShell, where any authenticated user, regardless of its privilege, could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. It is worth mentioning that, typically after the initial breach, attackers use the tools available on the approach to keep the preserve or advance around a network, and PowerShell is one of the more capable tools they can find. We highly recommend testing and patching this bug.
The potential impact is HIGH for Confidentiality, Integrity, and Availability.
A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Exploitability Assessment: Exploitation More Likely
CVE-2022-44670 and CVE-2022-44676 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.1/10.
This critical vulnerability affects Windows Secure Socket Tunneling Protocol (SSTP), and according to Microsoft, an attacker would need to win a race condition to exploit these bugs successfully. An unauthenticated attacker could send a specially crafted connection request to a RAS server, leading to remote code execution (RCE) on the RAS server machine. If you do not have this service, we recommend disabling it. Otherwise, test and deploy these patches immediately.
The potential impact is HIGH for Confidentiality, Integrity, and Availability.
A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Exploitability Assessment: Exploitation Unlikely
CVE-2022-41089 | .NET Framework Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
This security update handles a security flaw where restricted mode is triggered for the parsing of XPS files. The XPS documents utilize structural or semantic elements like table structure, storyboards, or hyperlinks. This vulnerability may cause it to not display correctly in WPF-based readers, preventing gadget chains that could allow remote code execution on an affected system.
There is also a workaround regarding this issue.
The potential impact is HIGH for Confidentiality, Integrity, and Availability.
A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.
Exploitability Assessment: Exploitation less likely
There are three Denial-of-Service (DOS) vulnerabilities that are patched this month. The Windows Hyper-V Denial of Service Vulnerability (CVE-2022-44682) affects the Hyper-V host’s functionality. Microsoft did not provide many details. Moreover, it is never good when a guest operating system can adversely influence the host OS.
There are 18 patches addressing Elevation of Privilege (EoP) vulnerabilities, which mostly require an authenticated user to execute specifically crafted code to escalate privileges. There are a few bugs in the Print Spooler service, which is an appendage of PrintNightmare. The DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710) is listed as public in this month’s release.
The Azure Network Watcher Agent Security Feature Bypass Vulnerability (CVE-2022-44699) is another important one this month since it could allow an attacker to end the packet capture from the Network Watcher agent, which could result in logs being missed. Any organization that uses VM extension for log collection should treat this as a critical bug.
The Microsoft Edge (Chromium-based) spoofing bug receives a patch that allows an attacker to change the content of the autofill box.
This month we have a new advisory (ADV220005) providing further recommendations on third-party drivers certified by the Microsoft Windows Hardware Developer Program. Microsoft stated that drivers that appear to be approved/certified by this program had been seen in the wild.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions that are affected, including, but not limited to, .NET Framework, Azure, Client Server Run-time Subsystem (CSRSS), Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office, Microsoft Office OneNote, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Windows Codecs Library, Windows Hyper-V, SysInternals, Windows Certificates, Windows Contacts, Windows DirectX, Windows Error Reporting, Windows Fax Compose Form, Windows HTTP Print Provider, Windows Kernel, Windows PowerShell, Windows Print Spooler Components, Windows Projected File System, Windows Secure Socket Tunneling Protocol (SSTP), Windows SmartScreen, Windows Subsystem for Linux, Windows Terminal
Downloads include Cumulative Updates, Monthly Rollups, Security Only, and Security Update
Evaluating workaround using Qualys Policy Compliance (PC)
CVE-2022-41077 | Windows Fax Compose Form Elevation of Privilege Vulnerability
1161 Status of the ‘Fax’ service
14916 Status of Windows Services
Executing workaround using Qualys Custom Assessment and Remediation (CAR)
Qualys Custom Assessment and Remediation empowers a system administrator to quickly and easily perform configuration updates on your technology infrastructure when the current situation requires the implementation of a vendor-suggested mitigation or workaround.
Try It for Free! Sign up now for a no-cost trial of Qualys Custom Assessment and Remediation.
Customers can perform the provided mitigation steps by creating a PowerShell script and executing it on vulnerable assets.
Please refer to the Qualys GitHub link to ensure the most current version of a Qualys script is being applied.
CVE-2022-41077 | Windows Fax Compose Form Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 7.8/10
Script
$ErrorActionPreference= “SilentlyContinue”; $ProgressPreference = “SilentlyContinue”; $WarningPreference = ‘SilentlyContinue’; $ser = Get-Service -Name Fax | Out-Null if($ser.Status -eq “Running”) { Stop-Service -Name Fax -Force | Out-Null Set-Service -Name Fax -StartupType Disabled | Out-Null Write-Host “Fax service has been stopped and disabled as part of workaround implementation. CVE-2022-41077 has been mitigated,”}
else{ Write-Host “Fax service is not running. No action required”}
Visit the December 2022 Security Updates page to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110421, 110422, 110423, 377824, 91961, 91962, 91963, 91964, 91965, 91966, and 91967 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2022-Dec
https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44713
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41127
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44690
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44693
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41076
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44670
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44676
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41089