Tech big Microsoft launched its final set of month-to-month safety updates for 2022 with fixes for 49 vulnerabilities throughout its software program merchandise.
Of the 49 bugs, six are rated Essential, 40 are rated Essential, and three are rated Reasonable in severity. The updates are along with 24 vulnerabilities which were addressed within the Chromium-based Edge browser because the begin of the month.
December’s Patch Tuesday plugs two zero-day vulnerabilities, one which’s actively exploited and one other concern that is listed as publicly disclosed on the time of launch.
The previous pertains to CVE-2022-44698 (CVSS rating: 5.4), one of many three safety bypass points in Home windows SmartScreen that could possibly be exploited by a malicious actor to evade mark of the net (MotW) protections.
It is price noting that this concern, at the side of CVE-2022-41091 (CVSS rating: 5.4), has been noticed being exploited by Magniber ransomware actors to ship rogue JavaScript recordsdata inside ZIP archives.
“It permits attackers to craft paperwork that will not get tagged with Microsoft’s ‘Mark of the Internet’ regardless of being downloaded from untrusted websites,” Rapid7’s Greg Wiseman stated. “This implies no Protected View for Microsoft Workplace paperwork, making it simpler to get customers to do sketchy issues like execute malicious macros.”
Publicly disclosed, however not seen actively exploited, is CVE-2022-44710 (CVSS rating: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that would allow an adversary to achieve SYSTEM privileges.
“Profitable exploitation of this vulnerability requires an attacker to win a race situation,” Microsoft identified in an advisory.
Additionally patched by Microsoft are a number of distant code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Home windows Safe Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.
Moreover, the replace additionally resolves 11 distant code execution vulnerabilities in Microsoft Workplace Graphics, OneNote, and Visio, all of that are rated 7.8 within the CVSS scoring system.
Two of the 19 elevation of privilege flaws remediated this month includes fixes for the Home windows Print Spooler part (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), persevering with a gradual stream of patches launched by the corporate over the previous yr.
Final however not least, Microsoft has assigned the “Exploitation Extra Doubtless” tag to the PowerShell distant code execution vulnerability (CVE-2022-41076, CVSS rating: 8.5) and Home windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS rating: 7.8), making it important that customers apply updates to mitigate potential threats.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous two weeks to rectify a number of vulnerabilities, together with —