Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Critical Security Patches Issued by Microsoft, Adobe and Other Major Software Firms

Patch Tuesday, March 2022

Microsoft’s Patch Tuesday update[1]
for the month of March has been made officially available with 71
fixes spanning across its software products such as Windows,
Office, Exchange, and Defender, among others.

Of the total 71 patches, three are rated Critical and 68 are
rated Important in severity. While none of the vulnerabilities are
listed as actively exploited, three of them are publicly known at
the time of release.

It’s worth pointing out that Microsoft separately addressed 21 flaws[2]
in the Chromium-based Microsoft Edge browser earlier this
month.

All the three critical vulnerabilities remediated this month are
remote code execution flaws impacting HEVC Video Extensions
(CVE-2022-22006[3]), Microsoft Exchange
Server (CVE-2022-23277[4]), and VP9 Video
Extensions (CVE-2022-24501[5]).

The Microsoft Exchange Server vulnerability, which was reported
by researcher Markus Wulftange, is also noteworthy for the fact
that it requires the attacker to be authenticated to be able to
exploit the server.

Automatic GitHub Backups

“The attacker for this vulnerability could target the server
accounts in an arbitrary or remote code execution,” the Windows
maker said. “As an authenticated user, the attacker could attempt
to trigger malicious code in the context of the server’s account
through a network call.”

“Critical vulnerability CVE-2022-23277 should also be a
concern,” Kevin Breen, director of cyber threat research at
Immersive Labs, said. “While requiring authentication, this
vulnerability affecting on-prem Exchange servers could potentially
be used during lateral movement into a part of the environment
which presents the opportunity for business email compromise or
data theft from email.”

The three zero-day bugs fixed by Microsoft are as follows –

  • CVE-2022-24512[6]
    (CVSS score: 6.3) – .NET and Visual Studio Remote Code Execution
    Vulnerability
  • CVE-2022-21990[7]
    (CVSS score: 8.8) – Remote Desktop Client Remote Code Execution
    Vulnerability
  • CVE-2022-24459[8]
    (CVSS score: 7.8) – Windows Fax and Scan Service Elevation of
    Privilege Vulnerability

Microsoft also labeled CVE-2022-21990 as “Exploitation More
Likely” because of the public availability of a proof-of-concept
(PoC) exploit, making it crucial that the updates are applied as
soon as possible to avoid potential attacks.

Other defects of significance are a number of remote code
execution flaws in Windows SMBv3 Client/Server, Microsoft Office,
and Paint 3D, as well as privilege escalation flaws in Xbox Live
Auth Manager, Microsoft Defender for IoT, and Azure Site
Recovery.

Prevent Data Breaches

In all, the patches close out 29 remote code execution
vulnerabilities, 25 elevation of privilege vulnerabilities, six
information disclosure vulnerabilities, four denial-of-service
vulnerabilities, three security feature bypass vulnerabilities,
three spoofing vulnerabilities, and one tampering
vulnerability.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been
released by other vendors to rectify several vulnerabilities,
counting —

References

  1. ^
    Patch
    Tuesday update     (msrc.microsoft.com)
  2. ^
    addressed 21 flaws
    (docs.microsoft.com)
  3. ^
    CVE-2022-22006
    (msrc.microsoft.com)
  4. ^
    CVE-2022-23277
    (msrc.microsoft.com)
  5. ^
    CVE-2022-24501
    (msrc.microsoft.com)
  6. ^
    CVE-2022-24512
    (msrc.microsoft.com)
  7. ^
    CVE-2022-21990
    (msrc.microsoft.com)
  8. ^
    CVE-2022-24459
    (msrc.microsoft.com)

Read more