No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day

Oh, blessed working day: Microsoft’s Patch Tuesday is a featherweight in comparison to some of its not-atypical, 10-ton security updates, with just 51 patches — none of them rated critical.

For February, Microsoft’s releases deal with CVEs in Windows and Windows Components, Azure Information Explorer, Kestrel Web Server, Microsoft Edge (Chromium-primarily based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office environment Parts, Windows Hyper-V Server, SQL Server, Visual Studio Code and Microsoft Groups.

Among these, Microsoft tackled a person zero-working day: CVE-2022-21989, a Windows Kernel elevation-of-privilege vulnerability. And, 1 of the updates is for a CVE initially printed in 2013.

This crop is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based mostly) previously this month, which provides the February full to 70 CVEs.

Whaaa? No Critical CVEs?!

Of class, it’s not dimensions that issues. But February’s patch-a-palooza is gentle not just in range of CVEs, but also in that it will come with nary a single patch that is labeled critical.

Has that at any time transpired?

As of Monday afternoon, Dustin Childs, a researcher with Pattern Micro’s Zero Working day Initiative (ZDI) Zero Working day Initiative (ZDI), was scratching his head on that 1.

“It may perhaps have occurred right before, but I can’t locate an instance of a regular monthly release from Microsoft that does not include at the very least a person critical-rated patch,” Childs wrote in ZDI’s Patch Tuesday analysis. “It surely hasn’t occurred in new memory.”

Childs observed that this February’s quantity “is in line with February releases from preceding years, which (apart from 2020) are likely to be all around 50 CVEs.”

It follows the massive batch that Microsoft baked for its January 2022 Patch Tuesday, when it addressed a full of 97 security vulnerabilities, which includes nine critical CVEs – one particular of which is a self-propagator with a 9.8 CVSS score, and 6 of which ended up detailed as publicly acknowledged zero-times.

To add indigestion to overwork, the January patches immediately blew up. Because their launch on Jan. 11, the updates started breaking Windows, leading to spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and creating ReFS quantity systems unavailable.

“Unfortunate that the Jan 11 updates have a range of severe flaws that necessarily mean they are un-deployable,” lamented one Threatpost reader. “That suggests our servers are unpatched and vulnerable to other security pitfalls thanks to other bugs, till the following set of patches occur out.”

Of the patches introduced these days – that awaited “next established of patches” — 50 are rated important and 1 is rated average in severity.

No Active Exploits (However)

Microsoft outlined none of the February bugs as getting beneath exploit, nevertheless just one is outlined as publicly recognized as the time of launch. But as ZDI’s Childs pointed out, the exact was accurate of past month’s launch – for two days, at any level, right after which the business revised CVE-2022-21882 to reveal that “Microsoft was aware of minimal, targeted attacks that attempt to exploit this vulnerability.”

If Microsoft learns in any other case, or alterations its corporate brain, Childs promised that ZDI will update its evaluation.

As for the zero-day elevation of privilege vulnerability in the Windows Kernel, Satnam Narang, team study engineer at Tenable, mentioned by using email: “While Microsoft prices the vulnerability as ‘exploitation extra likely,’ the complexity to exploit the vulnerability is superior, simply because of the added legwork demanded to get ready the focus on.”

He additional, “This type of vulnerability is usually leveraged by an attacker when they’ve now compromised the focus on, possibly by way of the use of a individual vulnerability or malware.”

Complete List of CVEs

As it does, ZDI has set up the full checklist of CVEs released by Microsoft for this month.

Childs also delved into four of the a lot more attention-grabbing bugs. Here’s what he experienced to say:

• • CVE-2022-21984 – Windows DNS Server Distant Code Execution Vulnerability: This patch fixes a remote code-execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a comparatively typical configuration. If you have this setup in your natural environment, an attacker could entirely acquire above your DNS and execute code with elevated privileges. Given that dynamic updates are not enabled by default, this does not get a critical ranking. Nevertheless, if your DNS servers do use dynamic updates, you really should address this bug as critical.
  • CVE-2022-23280 – Microsoft Outlook for Mac Security Aspect Bypass Vulnerability: “This Outlook bug could allow for pictures to look in the Preview Pane instantly, even if this solution is disabled. On its possess, exploiting this will only expose the target’s IP facts. Nonetheless, it is achievable a second bug impacting image rendering could be paired with this bug to make it possible for distant code execution. If you are employing Outlook for Mac, you ought to double-test to make sure your model has been updated to an unaffected version.”
  • CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability: “This patch fixes a visitor-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as higher here, stating an attacker, ‘must put together the target surroundings to enhance exploit trustworthiness.’ Since this is the circumstance for most exploits, it is not apparent how this vulnerability is different. If you depend on Hyper-V servers in your company, it’s encouraged to deal with this as a critical update.”
  • CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability: “This patch fixes a bug in SharePoint Server that could allow an authenticated person to execute any arbitrary .NET code on the server beneath the context and permissions of the company account of SharePoint Web Application. An attacker would need to have ‘Manage Lists’ permissions to exploit this, by default, authenticated people are ready to produce their have web-sites and, in this situation, the consumer will be the proprietor of this internet site and will have all needed permissions.”

Tenable’s Narang also pointed out that Microsoft also patched four elevation-of-privilege vulnerabilities in its Windows Print Spooler, together with two rated “exploitation more likely.”

“One of these two flaws, CVE-2022-21999, is credited to researchers at Sangfor, who had been dependable for disclosing some of the PrintNightmare vulnerabilities last summer season,” Narang noticed. “Because of the ubiquity of Print Spooler, vulnerabilities like this have been leveraged by ransomware teams.”

Also of Be aware: A Dusty Old-Timer

Danny Kim, principal architect at Virsec, mentioned that he uncovered it appealing that Microsoft republished a CVE from 2013 to notify buyers that an update to Windows 10/11 is accessible that addresses the first CVE.

“The CVE will allow an attacker to inject malicious code into a signed software without having invalidating the file’s unique signature,” he explained in an email to Threatpost on Tuesday. “In Windows, signatures are utilized to verify that a file has not been modified because it was launched by the first seller. With the means to inject destructive code into ‘verified’ purposes, the attacker can get comprehensive command around a method in particular if the consumer who operates the software has administrative privileges.”

He mentioned that the attacker can go as significantly as generating new consumer accounts with whole access, enabling the attacker to login to the equipment at will.

Nevertheless the CVE is originally from 2013, it highlights two about info, he explained: “Patching is a sluggish-shifting solution, and purposes will need to be monitored at all situations. Patching is a write-up-attack answer that moves far too slowly but surely to keep up with today’s attacks. Applications, even verified ones, cannot just be checked when they commence execution – their conduct all over the lifetime of the application wants to be monitored and confirmed from anticipated habits.”

Apply Patches ASAP

In spite of the actuality that there have been no critical CVEs nor energetic exploits called out in the February Patch Tuesday launch, security pros advised, as they constantly do, that the patches must be applied as before long as possible.

Verify out our free of charge approaching dwell and on-demand from customers on the web city halls – exceptional, dynamic conversations with cybersecurity authorities and the Threatpost group.