Hero image illustrating dangerous driver conditions in winter
Threat Research

2022 Patch Tuesday cycle wraps with 48 CVEs, one advisory

Windows-heavy collection closes out a year of elevation-of-privilege vulnerabilities

Microsoft on Tuesday released patches for 48 vulnerabilities in seven Microsoft product families. This includes 6 Critical-class issues affecting Microsoft Dynamics, SharePoint, and Windows. The majority of CVEs affect Windows; the operating system accounts for 30 CVEs, including four shared with Azure. Including those four shared CVEs, Azure itself takes five patches. Office takes 13, including patches for both Outlook for Android and Outlook for Mac. Those are followed by two patches for SharePoint and one each for Microsoft Dynamics, .NET, and Windows Subsystem for Linux (shared with Windows). 

The release also contains one advisory of more than ordinary significance. For information on ADV220005, “Driver Certificate Deprecation Defense in Depth,” please see our writeup. We will be presenting continuing coverage of this situation as it evolves. 

As for the patches, one vulnerability (CVE-2022-44710), an Important-class elevation-of-privilege bug in the DirectX Graphics Kernel that affects only Windows 11 Version 22H2 for ARM64- and x64-based systems, has been publicly disclosed. Another (CVE-2022-44698), a flaw allowing for security feature bypass in Windows’ SmartScreen component, has already been exploited; finder Will Dormann discussed the implications of this bug in a recent Twitter thread 

The remaining 46 issues remain undisclosed and unexploited according to Microsoft.  

By the Numbers 

  • Total Microsoft CVEs: 48
  • Total advisories shipping in update: 1 
  • Publicly disclosed: 1 
  • Exploitation detected: 1 
  • Exploitation more likely in latest version: 6 
  • Exploitation more likely in older versions: 7 
  • Severity
    • Critical: 6 
    • Important: 41 
    • Moderate: 1 
    • Low: 0 
  • Impact 
    • Remote Code Execution: 23
    • Elevation of Privilege: 17
    • Information Disclosure: 3 
    • Denial of Service: 2 
    • Security Feature Bypass: 2
    • Spoofing: 1 

A bar chart showing Patch Tuesday bug impact and severity; Remote Code Execution comprises 23 bugs, Elevation of Privilege comprises 17, Information Disclosure comprises 3, Denial of Service and Security Feature Bypass each comprise 2, and there's one Spoofing bug.

Figure 1: Remote-code execution vulnerabilities slightly outnumbered elevation-of-privilege bugs in the final scheduled Patch Tuesday release of 2022 

Products: 

  • Microsoft Windows: 30, including four shared with Azure and one shared with Windows Subsystem for Linux
  • Microsoft Office: 13
  • Azure: 5, including four shared with Windows 
  • SharePoint: 2 
  • Microsoft Dynamics: 1 
  • .NET: 1 
  • Windows Subsystem for Linux: 1, shared with Windows 

Three Edge-related patches issued earlier in the month (CVE-2022-44688, CVE-2022-44708, CVE-2022-41115) are referenced in Microsoft’s release documentation but require no action as part of the release itself. 

Bar chart showing the product families affected in the December Patch Tuesday set; reiterates article text

Figure 2: December’s patches include four shared by Windows and Azure, and one shared by Windows and Windows Subsystem for Linux (shared patched are represented under all applicable families) 

Notable Vulnerabilities 

CVE-2022-44690, CVE-2022-44693: Microsoft SharePoint Server Remote Code Execution Vulnerability 

Both SharePoint vulnerabilities this month are Critical-class RCEs, and in both cases an authenticated attacker with Manage List permissions could execute code remotely on a SharePoint Server in the course of a network-based attack. Microsoft takes pains in its release information to note that the cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013, so customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013. 

CVE-2022-41076: PowerShell Remote Code Execution Vulnerability 

Another Critical-class RCE, this one requires fairly complex preparation by the attacker on the target environment, but it can be triggered by any authenticated user. In use, this vulnerability allows an authenticated attacker to escape the PowerShell Remoting Session configuration and run unapproved commands on the target system. The patch applies to PowerShell 7.2 and 7.3, all supported versions of Windows, and Windows Server 2022 Datacenter: Azure Edition. 

CVE-2022-44666: Windows Contacts Remote Code Execution Vulnerability 

Notable mainly because it’s likely the first time most technical folk have thought of Windows Contact as a distinct piece of code (or at all), this bug would require an attacker to convince a user to download and open a maliciously crafted file, leading to a local attack on the user’s computer. Both client and server machines are potentially vulnerable. 

Bar chart showing cumulative patch impact and severity for all twelve months of 2022. Elevation of Privilege issues represent just over 350 vulns for the year; Remote Code Execution represents just under 300; Information Disclosure represents about 90; Denial of Service represents about 75. Spoofing, Tampering, and Defense in Depth patches together represented under 50 patches for the year.

Figure 3: Even with December’s higher percentage of remote code execution vulnerabilities, 2022 was a year for elevation of privilege bugs – at least among bugs of Important or Critical severity 

Sophos protections 

CVE  Sophos Intercept X / Endpoint IPS  Sophos XGS Firewall 
CVE-2022-44675  Exp/2244675-A   

 

As you can every month, if you don’t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your particular system’s architecture and build number. 

Leave a Reply

Your email address will not be published. Required fields are marked *