In the last month of 2022, Microsoft has published fixes for 69 vulnerabilities, and 5 of them come from third parties integrated into Microsoft products. We have patches for 2 zero-days and 6 criticals. This December is a light month, but it’s typical for Microsoft. Overall, in 2022 Microsoft fixed over 900 CVEs in total. Let’s review patches for the last time this year.
CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
Most probably related to the Mark of the Web bug patched last month. You can read more about CVE-2022-41091 here. In this case, a file could be created that evades the Mark of the Web detection and therefore bypasses security features such as Protected View in Microsoft Office. Don’t be fooled by the low rating (Moderate 5.6), because this one is already exploited by creating malicious JavaScript files that were signed using a malformed signature. Of course, it can be used in phishing attacks, so patch ASAP on your clients.
CVE-2022-44710 – DirectX Graphics Kernel Elevation of Privilege Vulnerability
This vulnerability is publicly disclosed. Successful exploitation requires an attacker to win a race condition and could gain system privileges. Luckily the issue persists on Windows 11 22H2 only.
CVE-2022-44690, CVE-2022-44693 – Microsoft SharePoint Server Remote Code Execution Vulnerability
Here we have 2 vulnerabilities in SharePoint. Both are Critical with CVSS 8.8. In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. This bug has been discovered in all supported SharePoint versions.
CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This bug could allow an authenticated user to escape from the PowerShell Remoting Session Configuration and run unapproved commands on a target system. As PowerShell is often abused by attackers, everybody should prioritize this fix.
CVE-2022-41127 – Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
Successful exploitation could allow an attacker to execute code on the host server in the context of the service account Dynamics has been configured to use.
CVE-2022-44670, CVE-2022-44676 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Successful exploitation of these vulnerabilities requires an attacker to win a race condition. An attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
Summary
Below you can see the most important CVEs released by Microsoft for December 2022 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about a bug in .NET.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-22047 | Windows SmartScreen Security Feature Bypass Vulnerability | Moderate (5.4) | Network | Low | None | Required | Exploited | Windows 10+ Server 2016+ |
CVE-2022-30221 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important (7.8) | Local | High | Low | None | Publicly disclosed | Windows 11 22H2 |
CVE-2022-22038 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-22029 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
CVE-2022-22039 | PowerShell Remote Code Execution Vulnerability | Critical (8.5) | Network | High | Low | None | Unproven | Windows 7+ Windows Server 2008+ PowerShell 7.2, 7.3 |
CVE-2022-22026 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability | Critical (8.5) | Network | High | Low | None | Unproven | Microsoft Dynamics NAV 2016+ Dynamics 365 Business Central Spring 2019 Microsoft Dynamics 365 Business Central 2020+ |
CVE-2022-30216 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-30222 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-33674 | .NET Framework Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | .NET 6.0, 7.0 .NET Core 3.1 Visual Studio 2022 17.0, 17.2, 17.4 Visual Studio 2019 16.11- .NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11 .NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019 .NET Framework 4.8 on Windows Server 2016 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 /4.7.2 / 4.8 on Windows Server 2012 / 2012 R2 .NET Framework 2.0 SP2 / 3.0 SP2 / 4.6.2 on Windows Server 2008 .NET Framework 3.5.1 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 / Windows 7 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows 8.1 .NET Framework 3.5 / 4.6 / 4.6.2 / 4.7.2 / 4.8 / 4.8.1 on Windows 10 |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023