Microsoft Packs 71 Flaw Fixes in March Patch Tuesday
Microsoft on Tuesday released its monthly patch rollout, addressing 71 vulnerabilities and exposures (CVEs), three of those tackling "critical" flaws.
The good news is that Microsoft's patch comes before any of the three most critical items have been seen actively exploited in the wild. But don't count on that being the case for long, as IT should patch as soon as possible.
Most serious of the three is CVE-2022-23277, which addresses an issue in Microsoft Exchange Server that could lead to an attacker running custom code on a targeted system by gaining authenticated access and making a network call.
While, again, not being actively exploited, the potential for attacks targeting this flaw are high, according to security pro Dustin Childs of Trend Micro, in his Zero Day Initiative patch analysis. "This [vulnerability] is listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon - despite the authentication requirement," said Childs. "Test and deploy this to your Exchange servers quickly."
'Critical' Video Extension Issues
The final two "critical" rated items pertain to video extension holes.
CVE-2022-22006 addresses a remote code execution flaw in High Efficiency Video Coding (HEVC) extensions. HEVCs are extensions used to support 4K and Ultra HD videos on newer hardware. The second video flaw, CVE-2022-24501, closes a similar flaw type in VP9 video extensions -- widely used to stream videos from the Internet.
In both cases, an attacker would need a target to open one of the extensions with a specially crafted file, which would lead to a system crash. While patching both should be on the priority list, addressing the VP9 item as soon as possible is recommended due to the extension's wider use than the HEVC extension.
The remaining 68 items are rated "important," and should be applied after testing and analysis is complete.
Defender Gets Patched
A highlight of this month's patch is CVE-2022-23278, which looks to close a spoofing hole in Microsoft Defender for Endpoint for Windows, the company's enterprise endpoint security platform. The spoofing flaw affects all platforms and the risk of possible exploits targeting it is rated high. Per a blog post by the Microsoft Defender for Endpoint Team:
Cybercriminals are looking for any opening to tamper with security protections in order to blind, confuse, or often shut off customer defenses. Microsoft continuously works to defeat these methods to help our customers protect their environment and gain visibility when attacks occur, both through our own research and in partnership with the security community. With our March security update release, we are further hardening Microsoft Defender for Endpoint by addressing the ability for attackers to spoof information between the client and the service.
The Defender Team thanked the security experts at Belgium-based firm FalconForce for discovering and alerting Microsoft to this flaw.
Microsoft Resolves Three Zero-Days
March's large patch update also comes packed with three fixes for newly discovered flaws:
- CVE-2022-21990: Resolves a Remote Desktop Server issue that could lead to a remote code execution on a machine if a system connects to a malicious server.
- CVE-2022-24512: Fixes a .NET and Visual Studio Remote Code Execution flaw. While important to patch, it should be noted that the vulnerability can only be leveraged in conjunction with an additional attack campaign.
- CVE-2022-24459: Closes a hole in the Windows Fax and Scan Services that could lead to an elevation of privilege in all supported versions of Windows OS and Windows Server.
Mozilla Issues 'Critical' Fixes
In other security update news, Mozilla, maker of the popular Firefox browser, released an out-of-band patch on Monday that addresses two "critical" security vulnerabilities.
Both issues pertain to use-after-free vulnerabilities in its browser -- holes that could lead to malicious code through a memory corruption when a user clicks on a harmful URL And both should be a high priority, as attacks exploiting both vulnerabilities have been seen in the wild.