The December 2022 Security Update Review

Welcome to the final Patch Tuesday of 2021, and the first since Pwn2Own Toronto. As always, Adobe and Microsoft have released their latest security fixes just in time for the winter holidays. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for December 2022

As of 12:30 Central time, Adobe has not published their bulletins for December. This blog will be updated once this patches become available.

Microsoft Patches for December 2022

This month, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. This is in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall. A total of 12 of these CVEs were submitted through the ZDI program.

Of the 52 new patches released today, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity. December is typically a light month for Microsoft patches, and this year is no exception. It’s also the smallest monthly release this year. Overall, 2022 was Microsoft’s second busiest ever with Microsoft fixing over 900 CVEs in total.

One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

–       CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
This bug has been widely discussed on the bird site and is likely related to the Mark of the Web bug patched last month. In this case, a file could be created that evades the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks. It’s good to see Microsoft (finally) address these bugs.

–       CVE-2022-44713 – Microsoft Outlook for Mac Spoofing Vulnerability
We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice. This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.

–       CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system. Threat actors often try to “live off the land” after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.

–       CVE-2022-44699 – Azure Network Watcher Agent Security Feature Bypass Vulnerability
As someone who has done extensive incident response in the past, I know all too well the importance of good logs. That’s why this patch stood out to me. This bug would allow someone to terminate the packet capture from the Network Watcher agent. There might not be many enterprises relying on this tool, but for those using this VM extension, this fix should be treated as critical and deployed quickly.

 Here’s the full list of CVEs released by Microsoft for December 2022:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2022-44698
Windows SmartScreen Security Feature Bypass
Vulnerability
Moderate
5.4
No
Yes
SFB

CVE-2022-44710
DirectX Graphics Kernel Elevation of
Privilege Vulnerability
Important
7.8
Yes
No
EoP

CVE-2022-41127
Microsoft Dynamics NAV and Microsoft
Dynamics 365 Business Central (On Premises) Remote Code Execution
Vulnerability
Critical
8.5
No
No
RCE

CVE-2022-44690
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2022-44693
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2022-41076
PowerShell Remote Code Execution
Vulnerability
Critical
8.5
No
No
RCE

CVE-2022-44670
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2022-44676
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2022-41089
.NET Framework Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2022-44699
Azure Network Watcher Agent Security Feature
Bypass Vulnerability
Important
4.4
No
No
SFB

CVE-2022-44708
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Important
8.3
No
No
EoP

CVE-2022-41115
Microsoft Edge (Chromium-based) Update
Elevation of Privilege Vulnerability
Important
6.6
No
No
EoP

CVE-2022-26804
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-26805
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-26806
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44692
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-47211
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-47212
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-47213
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44691
Microsoft Office OneNote Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44694
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44695
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44696
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44713
Microsoft Outlook for Mac Spoofing
Vulnerability
Important
7.5
No
No
Spoofing

CVE-2022-44704
Microsoft Windows Sysmon Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-24480
Outlook for Android Elevation of Privilege
Vulnerability
Important
6.3
No
No
EoP

CVE-2022-44687
Raw Image Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44675
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44674
Windows Bluetooth Driver Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-44673
Windows Client Server Run-Time Subsystem
(CSRSS) Elevation of Privilege Vulnerability
Important
7
No
No
EoP

CVE-2022-44666
Windows Contacts Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44669
Windows Error Reporting Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2022-41077
Windows Fax Compose Form Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-41121
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44671
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44680
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-41074
Windows Graphics Component Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2022-44679
Windows Graphics Component Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2022-44682
Windows Hyper-V Denial of Service
Vulnerability
Important
6.8
No
No
DoS

CVE-2022-41094
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44707
Windows Kernel Denial of Service
Vulnerability
Important
6.5
No
No
DoS

CVE-2022-44683
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44667
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44668
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44678
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44681
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44677
Windows Projected File System Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44689
Windows Subsystem for Linux (WSL2) Kernel
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2022-44702
Windows Terminal Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-44684
Windows Local Session Manager (LSM) Denial
of Service Vulnerability
Important
6.5
No
No
DoS

CVE-2022-44688
Microsoft Edge (Chromium-based) Spoofing
Vulnerability
Moderate
4.3
No
No
Spoofing

CVE-2022-44697
Windows Graphics Component Elevation of
Privilege Vulnerability
Moderate
7.8
No
No
EoP

Looking at the remaining Critical-rated fixes, there are two patches for the older Secure Socket Tunneling Protocol (SSTP). Both could allow a remote, unauthenticated threat actor to get code execution on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, you should disable it. If you are using it, test and deploy these patches quickly. There are also two Critical-rated code execution bugs in SharePoint server, and we’ve seen SharePoint exploited in the wild with older, patched bugs. Definitely make sure you’re patching your SharePoint instances. The final Critical bug resides in Dynamics AV and could allow an authenticated attacker to execute code in the context of the server’s account through a network call.

Beyond these, there are 16 other remote code execution bugs getting fixes this December, including multiple Office bugs reported by ZDI research Mat Powell. Most of these are the open-a-file-get-owned sort, but a couple of these patches are worth a second look. The update for the .NET Framework seems to hit every supported version, but no additional information about the bug itself is available. Two different researchers are credited for it, which implies a bug collision from multiple sources. I always pay extra attention to bugs when multiple people have independently reported them. Finally, the update for Windows Terminal is found in the Windows Store, so it should be automatically applied. However, if you have disabled automatic Store updates or are in a disconnected environment, you’ll need to apply the patch by hand.

There are 18 patches addressing Elevation of Privilege (EoP) bugs in this month’s release. For the most part, these bugs require an authenticated user to execute specially crafted code on an affected system to escalate privileges. However, there are a few that deserve extra scrutiny. The first two are yet more fixes for the Print Spooler service. The long tail of PrintNightmare grows even longer. The bug in the DirectX Graphics Kernel is the one bug listed as public for December. I already mentioned incident response and living off the land. The bug in Sysinternals Sysmon combines both as many responders rely on Sysinternals services. Exploiting these for privilege escalation would certainly be something. The final EoP of note is a bug in Hyper-V that would allow an attacker to execute code with SYSTEM privileges.

The December release includes three information disclosure bugs. This month, they all simply result in info leaks consisting of unspecified memory contents.

There are only three Denial-of-Service (DOS) bugs receiving patches this month. The first is in Hyper-V and could allow a guest OS to “affect the functionality of the Hyper-V host.” Microsoft doesn’t make it clear if the Hyper-V host would completely shut down or if only certain services are affected. Either way, it’s not good when on guest OS can negatively impact the host OS. The other DoS bugs are in the Windows Kernel and Local Session Manager (LSM), but Microsoft provides no further information on those.

Besides the one fix for Outlook for Mac, there’s one other spoofing bug in Microsoft Edge (Chromium-based) receiving a patch this month. This bug allows an attacker to change the content of the autofill box that overlaps an error message on a specially crafted website. While interesting, I’m not sure how this would really be used in an actual attack. Still, never underestimate the ingenuity of determined threat actors.

Finally, there is one new advisory (ADV220005) this month providing additional guidance on third-party drivers that appear to be certified by the Microsoft Windows Hardware Developer Program. According to Microsoft, drivers that appear to have been certified by this program have been seen in the wild in post-exploitation activity. There are no servicing stack updates this month.

Looking Ahead

The first Patch Tuesday of 2023 will be on January 10, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, Merry Christmahanakwanzika, happy patching, and may all your reboots be smooth and clean!

   Blog post Zero Day Initiative – Blog 

More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.