Patch Tuesday – December 2022

December 13, 2022 by Bryson Medlock

Today is once again Patch Tuesday, the second Tuesday of the month when Microsoft and other vendors push out security updates to their products. This month, Microsoft has released 49 security updates for their products. Of the 49 released by Microsoft, six are rated with a severity of Critical, 42 as Important, and one as Moderate. One of the Important vulnerabilities has already been publicly disclosed and one has been observed being exploited in the wild, also known as zero-day vulnerabilities. All six of the Critical vulnerabilities patched this month are for Remote Code Execution (RCE) vulnerabilities.

One vulnerability in this month’s Patch Tuesday has been previously disclosed, CVE-2022-44710, a DirectX Graphics Kernel Elevation of Privilege Vulnerability. This vulnerability requires an attacker to win a race condition making this less likely to be exploited. If an attack succeeds, an attack who already has limited access to a system can gain SYSTEM level permissions to that system, giving them full control. AppContainer Isolation is a Windows feature that isolates an application from unneeded resources or other applications inside an isolated execution environment. This vulnerability could allow an attacker to escape a contained execution environment.

Microsoft Defender SmartScreen is a Microsoft Defender feature in Windows 10, Windows 11, and Microsoft Edge that warns you if a site you are visiting or a file you are downloading matches a list of known bad sites. The one vulnerability disclosed this month that has previously been seen exploited in the wild is CVE-2022-44698, a Windows SmartScreen bypass. An attacker would need to convince their target to access a malicious URL through phishing or some other method to exploit this vulnerability. They could then use this to bypass the Defender SmartScreen feature and evade the Mark of the Web (MotW), thus bypassing other security features such as Protected View in Microsoft Office. This vulnerability has previously been seen used by Qbot to distribute Magniber ransomware.

There are six Critical RCE vulnerabilities patched this month. CVE-2022-41076 is a vulnerability in PowerShell that would allow an authenticated user to run unapproved commands on a system. CVE-2022-41127 is a RCE vulnerability in the on-premises version of Microsoft’s ERP system Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Center that would allow an authenticated user to execute arbitrary code on the server in the context of the service account Dynamics has been configured to use. There are two critical RCE vulnerabilities patched this month for the Windows VPN tunneling protocol Secure Socket Tunneling Protocol (SSTP), CVE-2022-44670 and CVE-2022-44676. Both vulnerabilities require an attacker send a maliciously crafted packet to a Remote Access Server (RAS) and then win a race condition. The last two Critical vulnerabilities patched this month are both RCE vulnerabilities in Microsoft SharePoint, CVE-2022-44690 and CVE-2022-44693. Both of these RCE vulnerabilities require an attacker first be authenticated, then an authenticated attacker with the Manage List permissions could remotely execute code on the SharePoint server.

 

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.

KB Article Applies To
5021233 Windows 10, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2, Windows 10, version 22H2
5021234 Windows 11 version 21H2
5021237 Windows Server 2019
5021255 Windows 11 version 22H2
5021285 Windows Server 2012 (Monthly Rollup)
5021288 Windows 7, Windows Server 2008 R2 (Security-only update)
5021289 Windows Server 2008 (Monthly Rollup)
5021291 Windows 7, Windows Server 2008 R2 (Monthly Rollup)
5021293 Windows Server 2008 (Security-only update)
5021294 Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
5021296 Windows 8.1, Windows Server 2012 R2 (Security-only update)
5021303 Windows Server 2012 (Security-only update)
5020880 .NET core and .NET Framework, Change in how WPF-based applications render XPS documents