News

Microsoft Addresses 50 Vulnerabilities in February Security Patch Release

• By Kurt Mackie
• 02/08/2022

Microsoft released February security patches on Tuesday, addressing perhaps around 50 or so common vulnerabilities and exposures (CVEs).

The 50 or so total count doesn't include around 19 Chromium patches pertaining to the Microsoft Edge browser that also were released this month. Security researchers keeping Microsoft patch tallies described this month's patch count as being rather low in number, but it's "in line with February patches from previous years," according to Dustin Childs of Trend Micro, in his Zero Day Initiative patch analysis.

Security solutions firm Automox tallied 48 vulnerabilities in Microsoft's February bundle, representing a "50% drop from January's total, and a 36% reduction of the 12 month rolling average," per the Automox Patch Tuesday commentary page.

Windows Print Spooler, Again
Affected software includes the usual targets, such as Windows and Office applications, as summarized in Microsoft's "Release Notes." Notably, the Windows Print Spooler is getting patches yet again this month, which has been the case each month ever since so-called "PrintNightmare" vulnerabilities were exposed last year.

All told, there are four elevation-of-privilege Print Spooler vulnerabilities getting patches this month, namely "CVE-2022-21999, CVE-2022-21997, CVE-2022-22718, CVE-2022-22717," according to Chris Goettl, vice president of product management at Ivanti, via e-mailed comments.

News: Hotpatching Feature at 'General Availability'
Microsoft's February patch "Release Notes" tucked away some news that Microsoft's new Hotpatching feature for Windows Server 2022 Azure Edition virtual machines has reached "general availability" or the commercial-release stage:

The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.

Hotpatching is an "Azure Automanage" feature that lets IT pros apply patches to virtual machines without reboots. It's just a tool that's available to Windows Server 2022 Azure Edition users, though.

No 'Critical'-Rated CVEs
Security researchers generally took note that there were no "Critical"-rated patches in Microsoft's February patch release, a very uncommon event for Microsoft. All of the patches address "Important"-rated issues, except for one patch that's deemed "Moderate."

Just one CVE was known to have been publicly known about before Microsoft's Tuesday announcement. It's an elevation-of-privilege vulnerability (CVE-2022-21989) in Windows kernels that takes advantage of a flaw in how objects are handled in memory. Microsoft's bulletin stated that "a successful attack could be performed from a low privilege AppContainer," which may be used to elevate privileges and "execute code or access resources at a higher integrity level." But the attack complexity is also deemed "high."

The CVE-2022-21989 vulnerability is currently at the proof-of-concept stage, but "details could be publicly available to threat actors," which could increase risks for organizations, Goettl indicated.

Notable Comments
Security researchers shared incisive commentary, which is quite a feat, considering that Microsoft only offers boilerplate explanations on its update Tuesday releases.

Even though there are no Critical fixes this month, there were patches for 18 remote code execution vulnerabilities, which "attackers love to use," explained Greg Wiseman, Product Manager at Rapid7:

In terms of prioritization, defenders should first focus on patching server systems. SharePoint has RCE (CVE-2022-22005), Security Feature Bypass (CVE-2022-21968), and Spoofing (CVE-2022-21987) vulnerabilities getting fixed today. CVE-2022-21984 is an RCE affecting DNS Server. Microsoft Dynamics administrators should also be aware that there are six CVEs being patched, including 2 RCEs, 3 allowing elevation of privilege, and a spoofing vulnerability.

Wiseman also suggested prioritizing the Office patches CVE-2022-22003 and CVE-2022-22004, since they are remote code execution vulnerabilities that can be exploited by e-mailing malicious files.

Danny Kim, a principal architect at Virsec, noted that Microsoft last month updated a security bulletin from 2013, namely CVE-2013-3900, "to notify customers that an update to Windows 10/11 is available that addresses the original CVE."

CVE-2013-3900 is a better-late-than-never kind of fix. Here's how Kim characterized the threat posed by CVE-2013-3900, via an e-mailed comment:

The CVE allows an attacker to inject malicious code into a signed application without invalidating the file's original signature. In Windows, signatures are used to verify that a file has not been modified since it was released by the original vendor. With the ability to inject malicious code into "verified" applications, the attacker can gain complete control over a system especially if the user who runs the application has administrative privileges.

On top of Microsoft's update Tuesday releases, patches were released by Adobe, Apple and Google. Automox's patch page has summaries, and also advised on patching a Critical Samba vulnerability (CVE-2021-44142). Also, a security advisory was issued this week for Citrix Hypervisor.

The Cybersecurity and Infrastructure Security Agency (CISA) announced on Friday that it has added CVE-2022-21882, a Microsoft Win32k privilege escalation vulnerability that got a patch during Microsoft's January update Tuesday release, to its "Known Exploited Vulnerabilities Catalog." Threat actors are "actively exploiting" it, CISA warned federal agencies.