Tech big Microsoft launched its final set of month-to-month safety updates for 2022 with fixes for 49 vulnerabilities throughout its software program merchandise.
Of the 49 bugs, six are rated Vital, 40 are rated Necessary, and three are rated Reasonable in severity. The updates are along with 24 vulnerabilities which have been addressed within the Chromium-based Edge browser for the reason that begin of the month.
December’s Patch Tuesday plugs two zero-day vulnerabilities, one which’s actively exploited and one other problem that is listed as publicly disclosed on the time of launch.
The previous pertains to CVE-2022-44698 (CVSS rating: 5.4), one of many three safety bypass points in Home windows SmartScreen that may very well be exploited by a malicious actor to evade mark of the net (MotW) protections.
It is price noting that this problem, along with CVE-2022-41091 (CVSS rating: 5.4), has been noticed being exploited by Magniber ransomware actors to ship rogue JavaScript information inside ZIP archives.
“It permits attackers to craft paperwork that will not get tagged with Microsoft’s ‘Mark of the Internet’ regardless of being downloaded from untrusted websites,” Rapid7’s Greg Wiseman stated. “This implies no Protected View for Microsoft Workplace paperwork, making it simpler to get customers to do sketchy issues like execute malicious macros.”
Publicly disclosed, however not seen actively exploited, is CVE-2022-44710 (CVSS rating: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that would allow an adversary to realize SYSTEM privileges.
“Profitable exploitation of this vulnerability requires an attacker to win a race situation,” Microsoft identified in an advisory.
Additionally patched by Microsoft are a number of distant code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Home windows Safe Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.
Moreover, the replace additionally resolves 11 distant code execution vulnerabilities in Microsoft Workplace Graphics, OneNote, and Visio, all of that are rated 7.8 within the CVSS scoring system.
Two of the 19 elevation of privilege flaws remediated this month includes fixes for the Home windows Print Spooler element (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), persevering with a gentle stream of patches launched by the corporate over the previous yr.
Final however not least, Microsoft has assigned the “Exploitation Extra Seemingly” tag to the PowerShell distant code execution vulnerability (CVE-2022-41076, CVSS rating: 8.5) and Home windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS rating: 7.8), making it important that customers apply updates to mitigate potential threats.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous two weeks to rectify a number of vulnerabilities, together with —