Patch Tuesday Update - February 2022

Quantity Over Severity

For the month of February, Microsoft brings us a pack of 50 vulnerabilities to patch, but not one of them marked as critical! Has anyone seen any pigs flying around lately? I feel like I’m in the twilight zone!

That said, despite the absence of the dreaded critical rating, nearly all of the patches in this bunch are marked as “important”, so it’s not like we can all just sit on our hands for the month. A total of 51 CVE’s are included in this release from the Redmond giant, and 50 of them (yes, 50) are marked as important and that includes one zero-day vulnerability.

The zero-day vulnerability, CVE-2022-21989 is a privilege escalation flaw via the kernel. It carries a CVSS severity score of 7.8 because Microsoft says triggering the exploit “requires an attacker to take additional actions prior to exploitation to prepare the target environment.”

In addition, there are 3 remote code execution (RCE) vulnerabilities for this month, all marked with a CVSS score of 8 or more:

• CVE-2022-21984 which affects Windows DNS server
• CVE-2022-22005 affecting Sharepoint server
• CVE-2022-23274 in Microsoft dynamics GP

There have been a few raised eyebrows at CVE-2022-21984 missing the “critical” tag, since the only “complex” element for exploitation is that dynamic updates need to be enabled, which is a relatively common configuration. If you do have dynamic updates enabled, an adversary could compromise your DNS and execute arbitrary code on the server.

One odd duck in the mix is CVE-2013-3900, a vulnerability from 2013 that Microsoft republished to notify customers that an update to Windows 10/11 is finally available to address it. This flaw allows an attacker to inject malicious code into a signed application while keeping the file’s original signature. This can be very dangerous: not only will the installer appear legitimate to the operating system’s security checks, but when it is run with administrative privileges (as many user machines are), the bad actor can take complete control of the system.

Last but not least, a Patch Tuesday would not be complete without a few more vulnerabilities discovered for Print Spooler, right? Yes, every attacker’s favorite target, Windows Print Spooler has four new privilege escalation vulnerabilities that need patching, including two rated “Exploitation More Likely” (CVE-2022-21999 and CVE-2022-22718). Who really needs to print things anymore anyway?

As always, Balbix can identify all affected assets within 1 hour of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Users can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.