Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
March 2022 Overview
General Overview - Eric Feldman
What a difference a year makes.
In March of 2021, we wrote how Microsoft reported 89 total vulnerabilities, the 3rd highest total for the year. In addition, the same month brought us 14 critical vulnerabilities, the 2nd highest total of the year. And there were 5 exploited vulnerabilities, also the 2nd highest monthly total of the year. It was not a good month for the ITOps and SecOps teams who are tasked with patching and remediating systems.
Fast forward to this month’s Patch Tuesday review, with 71 total vulnerabilities, right in line with the 12 month rolling average of 73 per month. Only three vulnerabilities this month are rated critical, a 54% reduction in the 12 month rolling average of 6.5.
Here is the best news to report from Microsoft this month. Not only were there zero exploited vulnerabilities for March….there have been ZERO so far in 2022! Considering that there was an average of 2 exploited vulnerabilities for every month last year, this is good news indeed.
Five Microsoft applications and components are responsible for over 50% of the reported vulnerabilities this month. Tops on the list is the Microsoft Windows Codec Library, with over 18% of the vulnerabilities. As two of these vulnerabilities are critical, and codecs are present in every Windows device, Automox recommends that updates to video extensions be prioritized in your patch schedule.
As we typically see every month, two vulnerability types made up the majority of March’s total. 40% of vulnerabilities were "Remote Code Execution" that allows an attacker to remotely execute malicious code on a computer. Another 35% of vulnerabilities were "Elevation of Privilege," meaning an attacker could change their access rights, for example from "read only" to "read and write."
This has been a busy month with out-of-band vulnerabilities from a number of vendors that were discussed in individual blogs. First, we reported on zero day vulnerabilities impacting Adobe Commerce and Magento Open Source in a blog entitled “Patch Now: Adobe Magento Vulnerability Scores a 9.8 out of 10” and another blog “Adobe Patches 2nd Magento Zero Day This Week.”
There were also blogs about the ”Dirty Pipe” vulnerability impacting Linux Kernel, and an actively exploited zero-day use-after-free vulnerability in Google Chrome.
And as we remind you every month, Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those zero-day, and Microsoft codec vulnerabilities highlighted this month.
Microsoft Critical Vulnerability Breakdown
CVE-2022-23277 - Microsoft Exchange Server Remote Code Execution Vulnerability - Critical
Remote code executions within Microsoft Exchange Server are always a bad combination due to the high confidentiality of the information stored there. Fortunately, this vulnerability requires an attacker to be authenticated, it is still critical but it’s not as bad as it could’ve been. Once the attacker is authenticated, they could attempt to trigger malicious code in the context of the server's account through a network call. With a BaseScore of 8.8 it’s clear that you can’t postpone patching this solution, Automox therefore recommends prioritizing remediation of this vulnerability ASAP. - Maarten Buis
CVE-2022-22006 - Microsoft Windows Codecs Library HEVC Video Extensions Remote Code Execution Vulnerability - Critical
CVE-2022-22006 is a critical vulnerability identified in HEVC Video Extensions. HEVC is an advanced video compression standard used for video storage and playback on Windows 10 systems. This vulnerability can lead to remote code execution (RCE). An attacker exploiting this vulnerability could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights. The vulnerability is less likely to be exploited, according to Microsoft. However, the attack complexity is low and patching critical vulnerabilities is an important first step to maintaining a safe and secure infrastructure. - Jay Goodman
CVE-2022-24501 - Microsoft Windows Codecs Library VP9 Video Extensions Remote Code Execution Vulnerability - Critical
CVE-2022-24501 is a critical remote code execution vulnerability in Microsoft’s VP9 Video Extensions that has the potential to be exploited by a remote, non-authenticated attacker to execute arbitrary code on the target system. VP9 is an open source video coding format developed by Google that is supported by many modern web browsers and is popular for streaming over the internet. The VP9 Video Extensions enable the playing of VP9 videos in any video app on a Windows 10 device. Successful exploitation of this vulnerability requires an attacker to send a specially crafted file to bait a user, which could lead to a complete compromise of the vulnerable system. Those affected will automatically receive the necessary update through the Microsoft Store. - Eric Feldman
CVE-2022-24512 - .NET and Visual Studio Remote Code Execution Vulnerability - High and Publicly Disclosed
CVE-2022-24512 is a remote code execution vulnerability with low-privilege, high-complexity vulnerability for Microsoft’s .NET framework and Visual Studio environment, respectively. Although it doesn’t present a terrifying CVSS score (3.1) to raise eyebrows, the high-severity is likely due to RCE that doesn’t require any sort of elevated user privileges or even interaction. For the record, Microsoft Visual Studio is an integrated development environment (“IDE”) used to develop various products like websites, web apps, web services and mobile apps, while .NET is a free, cross-platform, open source developer platform for building many different types of applications/products like the ones previously mentioned. Exploitation of this vulnerability is less likely, though it has been publicly disclosed. - Chad McNaughton
CVE-2022-24459 - Windows Fax and Scan Service Elevation of Privilege Vulnerability - High and Publicly Disclosed
Although CVE-2022-24459 has a Microsoft Exploitability Assessment of “Exploitation Less Likely”, its attack vector — the Scan and Fax service in Windows software — is an attractive target for bad actors. The Scan and Fax service, some could argue, is a vestigial component of Windows that harkens back to a bygone era of digital communications, but that’s just the type of back-of-the-pantry code that hackers look for. And the Windows Fax and Scan Service may be enabled by default.
This vulnerability allows attackers to elevate their privilege level to that of a System Admin, giving them the ability to run arbitrary or malicious code. It affects 17 versions of Windows Server and 26 versions of Windows 7, 8.1, 10 and 11. An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. - Shari Barnett
CVE-2022-21990 - Windows Remote Desktop Client Remote Code Execution Vulnerability - High and Publicly Disclosed
CVE-2021-21990 is the return of a frequent critical remote code execution vulnerability impacting the Microsoft Remote Desktop Client. Similar to earlier vulnerabilities, an attacker with control of a remote desktop server can trigger a remote code execution (RCE) on the remote desktop protocol (RDP) client machine when a victim, with a vulnerable Remote Desktop Client, connects to the attacking server. Unlike the previous CVE (CVE-2021-43233), with a high attack complexity, CVE-2021-21990 has low attack complexity. To exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning, or using a Man in the Middle (MITM) technique, as examples. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.
With a maximum severity rating of “important”, the Remote Desktop clients for Windows Desktop impacted include versions of Windows 7, 8.1, 10, and 11 (32 and 64-bit) as well as Windows Server 2008 (32 and 64-bit), 2008 R2 (64-bit), 2012, 2012 R2, 2016, 2019, 2022, and 20H2. Automox recommends applying this patch at your earliest convenience. - Gina Geisel
Apple
On February 10 and 14, Apple released a number of updates that address security issues and provide additional functionality.
Included are iOS 15.3.1 and iPadOS 15.3.1, macOS Monterey 12.2.1, macOS Big Sur 11.6.4, Security Update 2022-002 for macOS Catalina, and watchOS 8.4.2 are now available. Also, play close attention to a new update of Safari 15.3 for macOS Big Sur and macOS Catalina. There was a vulnerability discovered where processing maliciously crafted web content may lead to arbitrary code execution. As Apple is aware of a report that this issue may have been actively exploited, Automox recommends applying the latest Safari update within 72 hours. After installing the latest update of Safari 15.3, look for build number 16612.4.9.1.8 on macOS Big Sur and 15612.4.9.1.8 on macOS Catalina.
While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS. - Eric Feldman
Google
This month Google released Chrome 99 touting impressive speed improvements and 28 security fixes on March first and an additional six fixes on the fourth. Most updates are use-after-free vulnerabilities that enable malicious code substitution attacks that can lead to data corruption, program crashes, and arbitrary code execution. Additional vulnerabilities include an out-of-bounds (OOB) memory access flaw, an OOB read issue, a type confusion bug, a data leak vulnerability, several inappropriate implementation flaws, and an authentication issue. If you have not yet updated to Chrome 99 beware of an actively exploited zero-day from last month in a version of Chrome 98. Automox recommends upgrading to Chrome version 99.0.4844.57 as soon as possible. - Aleks Haugom
Adobe
Adobe released updates for three products this week: Adobe Photoshop, Illustrator, and After Effects. Adobe has assigned all three product updates a priority rating of 3, reserved for software that historically has not been a target for attackers.
However, if your organization uses any of the software included in Adobe’s Patch Tuesday release, you should prioritize patching. Both Illustrator and After Effects had critical vulnerabilities, all netting 7.8/10 CVSS scores, fixed that allow for arbitrary code execution. If you’re running After Effects 22.2 and earlier or 18.4.4 and earlier on Windows or macOS, you are vulnerable. Windows and macOS machines running Illustrator 2022 versions 26.0.3 and earlier also need to be patched. Adobe also fixed a sole important vulnerability in Photoshop versions 22.5.5 and earlier as well as 23.1.1 and earlier for macOS and Windows, which allows memory leak. - Peter Pflaster
Mozilla
Two vulnerabilities for Mozilla Firefox were announced this week, both allowing RCE in use-after-free versions of the software. These are critical zero-day vulnerabilities as they’ve already been exploited in the wild. The following are the updated versions you should update to: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3, Focus 97.3, and Thunderbird 91.6.2. We recommend patching within 24hrs to eliminate risk for your organization. For more information, please see our blog “Zero-Day RCE Vulnerabilities Released for Mozilla Firefox.” - Jessica Starkey
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.