The March 2022 Security Update Review



Informationsportal Cybersicherheit interne Portal Nachrichten

TSEC NEWS (572 Quellen): 11.08.22 Perofrmance fix. Download Android App Android App von Team IT Security


Informationsportal Cybersecurity Chronologie für Nachrichtenthemen


The March 2022 Security Update Review

thezdi.com

It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for March 2022

The Adobe release for March is quite small. This month, Adobe released only three patches addressing six CVEs in Adobe Photoshop, Illustrator, and After Effects. The patch for After Effects is the largest of the three. It fixes four Critical-rated, stacked-based buffer overflows that could result in arbitrary code execution. The fix for Illustrator is also rated Critical. It addresses a single buffer overflow that could lead to arbitrary code execution. Finally, the update for Photoshop fixes a single Important-rated memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2022

For March, Microsoft released 71 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.

Of the 71 CVEs released today, three are rated Critical and 68 are rated Important in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this is volume is in line with previous March releases. However, the number of Critical-rated patches is again strangely low for this number of bugs. It’s unclear if this low percentage of bugs is just a coincidence or if Microsoft might be evaluating the severity using different calculus than in the past.

None of the bugs are listed as under active exploit this month, while three are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs listed as publicly known:

-       CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
This client-side bug doesn’t have the same punch as server-side related RDP vulnerabilities, but since it’s listed as publicly known, it makes sense to go ahead and treat this as a Critical-rated bug. If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client. Again, this isn’t as severe as BlueKeep or some of the other RDP server bugs, but it definitely shouldn’t be overlooked.

-       CVE-2022-23277 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Critical-rated bug in Exchange Server was reported by long-time ZDI contributor Markus Wulftange. The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. This is also listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon - despite the authentication requirement. Test and deploy this to your Exchange servers quickly.

-       CVE-2022-24508 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on Windows 10 version 2004 and newer systems. It’s also reminiscent of CVE-2020-0796 from a couple of years ago. Both also list disabling SMBv3 compression as a workaround for SMB servers, but this doesn’t help clients. In 2020, Microsoft noted SMBv3 compression “is not yet used by Windows or Windows Server and disabling SMB Compression has no negative performance impact.” That’s not in the current advisory, so it’s unclear what disabling this feature will have now. Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network. This is another one I would treat as Critical and mitigate quickly.

-       CVE-2022-21967 – Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
This appears to be the first security patch impacting Xbox specifically. There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself. Microsoft even notes other Windows OSes are not affected by this bug. It’s not clear how an attacker could escalate privileges using this vulnerability, but the Auth Manager component is listed as affected. This service handles interacting with the Xbox Live service. I doubt many enterprises are reliant on Xbox or Xbox Live, but if you are, make sure this patch doesn’t go unnoticed.

Here’s the full list of CVEs released by Microsoft for March 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-24512 .NET and Visual Studio Remote Code Execution Vulnerability Important 6.3 Yes No RCE
CVE-2022-21990 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 Yes No RCE
CVE-2022-24459 Windows Fax and Scan Service Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-22006 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-23277 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-24501 VP9 Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-24508 Windows SMBv3 Client/Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21967 Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24464 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-24469 Azure Site Recovery Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-24506 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24515 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24518 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24519 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24467 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24468 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24470 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24471 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24517 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24520 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2020-8927 * Brotli Library Buffer Overflow Vulnerability Important 6.5 No No N/A
CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22007 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23301 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24452 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24453 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24456 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21977 Media Foundation Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2022-22010 Media Foundation Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2022-23278 Microsoft Defender for Endpoint Spoofing Vulnerability Important 5.9 No No Spoofing
CVE-2022-23266 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23265 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24463 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2022-24465 Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability Important 3.3 No No SFB
CVE-2022-24461 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24509 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24510 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24511 Microsoft Office Word Tampering Vulnerability Important 5.5 No No Tampering
CVE-2022-24462 Microsoft Word Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-23282 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23253 Point-to-Point Tunneling Protocol Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-23295 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23300 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23285 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-24503 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 5.4 No No Info
CVE-2022-24522 Skype Extension for Chrome Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-24460 Tablet Windows User Interface Application Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24526 Visual Studio Code Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2022-24451 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23283 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23287 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24505 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24507 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24455 Windows CD-ROM Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23286 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23281 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-23288 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23291 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23294 Windows Event Tracing Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23293 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24502 Windows HTML Platforms Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2022-21975 Windows Hyper-V Denial of Service Vulnerability Important 4.7 No No DoS
CVE-2022-23290 Windows Inking COM Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23296 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21973 Windows Media Center Update Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-23297 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-23298 Windows NT OS Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23299 Windows PDEV Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23284 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2022-24454 Windows Security Support Provider Interface Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24525 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-0789 * Chromium: Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2022-0797 * Chromium: Out of bounds memory access in Mojo High N/A No No RCE
CVE-2022-0792 * Chromium: Out of bounds read in ANGLE High N/A No No RCE
CVE-2022-0795 * Chromium: Type Confusion in Blink Layout High N/A No No RCE
CVE-2022-0790 * Chromium: Use after free in Cast UI High N/A No No RCE
CVE-2022-0796 * Chromium: Use after free in Media High N/A No No RCE
CVE-2022-0791 * Chromium: Use after free in Omnibox High N/A No No RCE
CVE-2022-0793 * Chromium: Use after free in Views High N/A No No RCE
CVE-2022-0794 * Chromium: Use after free in WebShare High N/A No No RCE
CVE-2022-0800 * Chromium: Heap buffer overflow in Cast UI Medium N/A No No RCE
CVE-2022-0807 * Chromium: Inappropriate implementation in Autofill Medium N/A No No Info
CVE-2022-0802 * Chromium: Inappropriate implementation in Full screen mode Medium N/A No No Info
CVE-2022-0804 * Chromium: Inappropriate implementation in Full screen mode Medium N/A No No Info
CVE-2022-0801 * Chromium: Inappropriate implementation in HTML parser Medium N/A No No Tampering
CVE-2022-0803 * Chromium: Inappropriate implementation in Permissions Medium N/A No No SFB
CVE-2022-0799 * Chromium: Insufficient policy enforcement in Installer Medium N/A No No SFB
CVE-2022-0809 * Chromium: Out of bounds memory access in WebXR Medium N/A No No RCE
CVE-2022-0805 * Chromium: Use after free in Browser Switcher Medium N/A No No RCE
CVE-2022-0808 * Chromium: Use after free in Chrome OS Shell Medium N/A No No RCE
CVE-2022-0798 * Chromium: Use after free in MediaStream Medium N/A No No RCE

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the March release, the 11 CVEs impacting Azure Site Recovery stand out. For those not familiar with it, Site Recovery is a native disaster recovery as a service (DRaaS). This month’s release includes fixes for five elevation of privilege (EoP) and six remote code execution (RCE) bugs in the platform. Considering everything going on in the world, now is a bad time to have issues with your disaster recovery plans. If you’re using this platform, make sure these patches get installed. If you’re not using this platform, take time to review your disaster recovery plans anyway. It couldn’t hurt.

Besides the Exchange bug already mentioned, the Critical-rated fixes in this release both address bugs in HEVC and VP9 video extensions. These updates can be found in the Microsoft Store. If you aren’t connected to the internet or are in an otherwise disconnected environment, you’ll need to manually apply the patch.

Including those already mentioned, there are a total of 28 RCE fixes released today. There are additional updates for the HEVC video extension component. Again, these fixes are obtained through the Microsoft Store. The raw image extension bugs fall into this class as well. There are three fixes for Visio that were reported by kdot through this ZDI program. These bugs include a type confusion, an untrusted pointer deref, and an Out-Of-Bounds (OOB) Write. In each case, a user must open a specially crafted Visio file to be impacted. One of the other publicly known bugs is an RCE in .NET and Visual Studio. There’s scant information about this bug, but if you are developing apps in .NET or Visual Studio, review it carefully. Since RPC bugs are never out of fashion, there’s a fix for event tracing that could result in code execution through a specially crafted RPC connection. There are several caveats to this one that lower the severity, but don’t remove the risk completely.

Rounding out the RCE bugs is one submitted by an anonymous researcher through the ZDI program impacts Microsoft Defender for IoT. The vulnerability exists within the password change mechanism. It results from the lack of proper validation of a user-supplied string before using it to execute a system call. Defender for IoT also receives a patch for an EoP bug found by ZDI Vulnerability Researcher Simon Zuckerbraun. This bug also occurs within the password change mechanism, but here, the bug is caused by the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

Moving on to the other EoP cases, most would require an attacker to log on to a system and run a specially crafted program. Several of these fixes note that the vulnerability is the result of a race condition, making exploitation somewhat unreliable. There are some interesting components receiving fixes for privilege escalations this month, including the FAT file system, the Fax and Scan Service, and the CD-ROM driver. It’s almost retro. Another interesting component is the Windows PDEV, which is a logical representation of a physical device characterized by the type of hardware, logical address, and surfaces that can be supported. ZDI Vulnerability Researcher Lucas Leong reported a Use-After-Free (UAF) bug in the handling of PDEV objects. An attacker could use this to escalate privileges and execute arbitrary code in the context of SYSTEM.

Six of this month’s fixes address information disclosure bugs. For the most part, these only result in leaks consisting of unspecified memory contents. The lone exception is the bug impacting the Skype for Chrome extension. This vulnerability could inadvertently disclose the Skype ID of a target. An attacker could gain access to that ID they could match it within Skype to a name and Avatar of the target user. If you’re using Skype for Chrome, you’ll need to get the update through the Chrome Web Store.

There are four updates to address DoS bugs in this release, and two stand out over the others. The first is a DoS in Hyper-V, which is always inconvenient if you happen to be one of the other guest OSes on that Hyper-V server. The other is a vulnerability in the Point-to-Point Tunneling (PPTP) protocol, which is used in the implementation of virtual private networks (VPN) that allow people to extend their private networks over the Internet via “tunnels”. There are no details about this bug given, but anything that could take down a VPN is unwelcome – especially since so many of us rely on VPNs to work from home (or wherever).

Three different components receive fixes for security feature bypasses (SFB) in this month’s release. The first continues the retro theme by fixing bugs in the Windows HTML platforms, including Internet Explorer and Edge (HTML-Based). Microsoft does not indicate which security feature is bypassed, but considering how pervasive MSHTML continues to be, patching is certainly recommended. Word receives a fix for an SFB bug that could allow specific protections to be bypassed in Protected View. This could potentially result in a user opening a malicious document but not receiving the intended warning dialogs. The final SFB fix applies to the Intune Portal for iOS. An attacker could use this vulnerability to bypass the Intune policy file save location and presumably load their own policy instead.

This month’s release includes three updates for spoofing bugs. The Exchange spoofing bug could allow an authenticated attacker to view file content on the affected server. Microsoft provides little information about the spoofing bugs in Defender Endpoint and Visual Studio other than to say the Defender bug requires knowledge of the target environment and the Visual Studio bug requires a user to open a file.

We wrap up this month’s release with an odd tampering bug in Microsoft Word. Microsoft gives no information on how the vulnerability can be exploited, but they do indicate information from the victim can be sent to the attacker, and that the Preview Pane is an attack vector. It sounds like a specially crafted Word doc can send potentially sensitive information to an attacker when the document is opened or viewed in the Preview Pane. Office for Mac users are out of luck as well, as the patches for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not available yet. It will be interesting to see if additional information is released about this bug in the future.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on April 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...

Komplette Nachricht lesen

Zur Startseite


➤ Ähnliche Beiträge für 'The March 2022 Security Update Review'

The April 2022 Security Update Review

vom 908.92 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for April 2022For April, Ad

The August 2022 Security Update Review

vom 882.11 Punkte
It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your nor

The March 2022 Security Update Review

vom 666.06 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The July 2022 Security Update Review

vom 545.19 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

The September 2022 Security Update Review

vom 537.61 Punkte
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for September 2022 For Sep

The February 2022 Security Update Review

vom 499.02 Punkte
It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

CentOS Blog: CentOS Community newsletter, April 2020 (#2004)

vom 490.99 Punkte
Dear CentOS enthusiast, I hope you are all well. I know that this is a very difficult time for all of you, and that you likely have other things on your mind than CentOS, so I'll try to make it interesting this month. In this edition: News Releases and updates Event

The May 2022 Security Update Review

vom 483.16 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

The May 2022 Security Update Review

vom 483.16 Punkte
It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their ex

CentOS Blog: CentOS Pulse Newsletter, April 2019 (#1904)

vom 443.57 Punkte
Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter #CentOS15 CentOS turns 15 this month! We've been talking with some of the people who have be

The June 2022 Security Update Review

vom 443.26 Punkte
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.Adobe Patches for

CentOS Blog: Errata/Releases, March 19th 2019

vom 350.99 Punkte
A substantial number of released/updates were announced on Tuesday, March 19th, and are listed below. For timely announcements of these updates, subscribe to the centos-announce mailing list, at https://lists.centos.org/mailman/listinfo/centos-announce . Errata and Enhancements Advisories We issued the following CEEA (CentOS Errata and Enhanc

Team Security Diskussion über The March 2022 Security Update Review