Welcome to the final Patch Tuesday of 2021, and the first since Pwn2Own Toronto. As always, Adobe and Microsoft have released their latest security fixes just in time for the winter holidays. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for December 2022
As of 12:30 Central time, Adobe has not published their bulletins for December. This blog will be updated once this patches become available.
Microsoft Patches for December 2022
This month, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. This is in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall. A total of 12 of these CVEs were submitted through the ZDI program.
Of the 52 new patches released today, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity. December is typically a light month for Microsoft patches, and this year is no exception. It’s also the smallest monthly release this year. Overall, 2022 was Microsoft’s second busiest ever with Microsoft fixing over 900 CVEs in total.
One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
– CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
This bug has been widely discussed on the bird site and is likely related to the Mark of the Web bug patched last month. In this case, a file could be created that evades the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks. It’s good to see Microsoft (finally) address these bugs.
– CVE-2022-44713 – Microsoft Outlook for Mac Spoofing Vulnerability
We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice. This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.
– CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system. Threat actors often try to “live off the land” after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.
– CVE-2022-44699 – Azure Network Watcher Agent Security Feature Bypass Vulnerability
As someone who has done extensive incident response in the past, I know all too well the importance of good logs. That’s why this patch stood out to me. This bug would allow someone to terminate the packet capture from the Network Watcher agent. There might not be many enterprises relying on this tool, but for those using this VM extension, this fix should be treated as critical and deployed quickly.
Here’s the full list of CVEs released by Microsoft for December 2022:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2022-44698
Windows SmartScreen Security Feature Bypass
Vulnerability
Moderate
5.4
No
Yes
SFB
CVE-2022-44710
DirectX Graphics Kernel Elevation of
Privilege Vulnerability
Important
7.8
Yes
No
EoP
CVE-2022-41127
Microsoft Dynamics NAV and Microsoft
Dynamics 365 Business Central (On Premises) Remote Code Execution
Vulnerability
Critical
8.5
No
No
RCE
CVE-2022-44690
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE
CVE-2022-44693
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE
CVE-2022-41076
PowerShell Remote Code Execution
Vulnerability
Critical
8.5
No
No
RCE
CVE-2022-44670
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-44676
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-41089
.NET Framework Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-44699
Azure Network Watcher Agent Security Feature
Bypass Vulnerability
Important
4.4
No
No
SFB
CVE-2022-44708
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Important
8.3
No
No
EoP
CVE-2022-41115
Microsoft Edge (Chromium-based) Update
Elevation of Privilege Vulnerability
Important
6.6
No
No
EoP
CVE-2022-26804
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-26805
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-26806
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44692
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-47211
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-47212
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-47213
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44691
Microsoft Office OneNote Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44694
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44695
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44696
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44713
Microsoft Outlook for Mac Spoofing
Vulnerability
Important
7.5
No
No
Spoofing
CVE-2022-44704
Microsoft Windows Sysmon Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-24480
Outlook for Android Elevation of Privilege
Vulnerability
Important
6.3
No
No
EoP
CVE-2022-44687
Raw Image Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44675
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44674
Windows Bluetooth Driver Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-44673
Windows Client Server Run-Time Subsystem
(CSRSS) Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-44666
Windows Contacts Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44669
Windows Error Reporting Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2022-41077
Windows Fax Compose Form Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41121
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44671
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44680
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-41074
Windows Graphics Component Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-44679
Windows Graphics Component Information
Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2022-44682
Windows Hyper-V Denial of Service
Vulnerability
Important
6.8
No
No
DoS
CVE-2022-41094
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44707
Windows Kernel Denial of Service
Vulnerability
Important
6.5
No
No
DoS
CVE-2022-44683
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44667
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44668
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44678
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44681
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44677
Windows Projected File System Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44689
Windows Subsystem for Linux (WSL2) Kernel
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-44702
Windows Terminal Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-44684
Windows Local Session Manager (LSM) Denial
of Service Vulnerability
Important
6.5
No
No
DoS
CVE-2022-44688
Microsoft Edge (Chromium-based) Spoofing
Vulnerability
Moderate
4.3
No
No
Spoofing
CVE-2022-44697
Windows Graphics Component Elevation of
Privilege Vulnerability
Moderate
7.8
No
No
EoP
Looking at the remaining Critical-rated fixes, there are two patches for the older Secure Socket Tunneling Protocol (SSTP). Both could allow a remote, unauthenticated threat actor to get code execution on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, you should disable it. If you are using it, test and deploy these patches quickly. There are also two Critical-rated code execution bugs in SharePoint server, and we’ve seen SharePoint exploited in the wild with older, patched bugs. Definitely make sure you’re patching your SharePoint instances. The final Critical bug resides in Dynamics AV and could allow an authenticated attacker to execute code in the context of the server’s account through a network call.
Beyond these, there are 16 other remote code execution bugs getting fixes this December, including multiple Office bugs reported by ZDI research Mat Powell. Most of these are the open-a-file-get-owned sort, but a couple of these patches are worth a second look. The update for the .NET Framework seems to hit every supported version, but no additional information about the bug itself is available. Two different researchers are credited for it, which implies a bug collision from multiple sources. I always pay extra attention to bugs when multiple people have independently reported them. Finally, the update for Windows Terminal is found in the Windows Store, so it should be automatically applied. However, if you have disabled automatic Store updates or are in a disconnected environment, you’ll need to apply the patch by hand.
There are 18 patches addressing Elevation of Privilege (EoP) bugs in this month’s release. For the most part, these bugs require an authenticated user to execute specially crafted code on an affected system to escalate privileges. However, there are a few that deserve extra scrutiny. The first two are yet more fixes for the Print Spooler service. The long tail of PrintNightmare grows even longer. The bug in the DirectX Graphics Kernel is the one bug listed as public for December. I already mentioned incident response and living off the land. The bug in Sysinternals Sysmon combines both as many responders rely on Sysinternals services. Exploiting these for privilege escalation would certainly be something. The final EoP of note is a bug in Hyper-V that would allow an attacker to execute code with SYSTEM privileges.
The December release includes three information disclosure bugs. This month, they all simply result in info leaks consisting of unspecified memory contents.
There are only three Denial-of-Service (DOS) bugs receiving patches this month. The first is in Hyper-V and could allow a guest OS to “affect the functionality of the Hyper-V host.” Microsoft doesn’t make it clear if the Hyper-V host would completely shut down or if only certain services are affected. Either way, it’s not good when on guest OS can negatively impact the host OS. The other DoS bugs are in the Windows Kernel and Local Session Manager (LSM), but Microsoft provides no further information on those.
Besides the one fix for Outlook for Mac, there’s one other spoofing bug in Microsoft Edge (Chromium-based) receiving a patch this month. This bug allows an attacker to change the content of the autofill box that overlaps an error message on a specially crafted website. While interesting, I’m not sure how this would really be used in an actual attack. Still, never underestimate the ingenuity of determined threat actors.
Finally, there is one new advisory (ADV220005) this month providing additional guidance on third-party drivers that appear to be certified by the Microsoft Windows Hardware Developer Program. According to Microsoft, drivers that appear to have been certified by this program have been seen in the wild in post-exploitation activity. There are no servicing stack updates this month.
Looking Ahead
The first Patch Tuesday of 2023 will be on January 10, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, Merry Christmahanakwanzika, happy patching, and may all your reboots be smooth and clean!
Blog post Zero Day Initiative – Blog
