Microsoft marked the final Patch Tuesday of the year by rolling out patches for 52 vulnerabilities. Meanwhile, Apple also disclosed the details of an actively exploited zero-day vulnerability in iOS that it fixed through an update two weeks ago.
The December patch load is the smallest for the year, while the cumulative fixes for 2022,Â which is more than 1,250, is the second-highest yearly patchload from the company. â€œIt’s the last Patch Tuesday of 2022, and while not as major as last month’s update, we are still finishing the year off with a bang,â€ Mark Lamb, CEO of HighGround.io, told Spiceworks.
â€œTwo zero-days and six critical flaws, which provide criminals with remote code execution, privileged access and denial of service, among other things. This means this is a major update and organizations must apply the patches as soon as possible.â€
Of the 53 patches released in the December Patch Tuesday run, six are rated critical, 43 are rated important, and three are rated moderately severe. Microsoft also fixed two zero-day vulnerabilities, one of which was under active exploitation.
Let us look at some of the most crucial ones highlighted by experts.
Zero-Day vulnerability fixes in December Patch Tuesday
With a CVSS score of 5.4, CVE-2022-44698Opens a new window falls into the â€˜moderate’ severity category, but since it is being actively exploited, patching this bug must be prioritized. â€œThis zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality,â€ Mike Walters, VP of vulnerability and threat research at Action1, told Spiceworks.
It is a security feature bypass flaw in Windows SmartScreen in all OS versions starting from Windows 7 and Windows Server 2008 R2. â€œThe vulnerability has low complexity. It uses the network vector, and requires no privilege escalation,â€ Walters added.
â€œHowever, it does need user interaction; attackers need to dupe a victim into visiting a malicious website through phishing emails or other forms of social engineering to exploit the security feature bypass. A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging â€“ for example, â€˜Protected View’ in Microsoft Office.â€
Peter Pflaster, technical product marketing manager at Automox, told Spiceworks, â€œThe vulnerability is similar to CVE-2022-41091, also a zero day, fixed in last month’s Patch Tuesday. Neither fetched a particularly high CVSS score, though we recommend fixing it within 24 hours as a socially engineered user could potentially open malicious files that bypass Mark of the Web security features.â€
The proof of concept for CVE-2022-44698 remains under wraps.
The second zero-day bug Microsoft fixed in December is CVE-2022-44710, an elevation of privilege vulnerability in the DirectX Graphics Kernel. CVE-2022-44710Opens a new window has a CVSS score of 7.8
Successful exploitation of CVE-2022-44710, which necessitates the attacker to win a race condition, enables them to gain system privileges.
Critical vulnerabilities patches on December Patch Tuesday
Microsoft fixed two SharePoint vulnerabilities and tracked CVE-2022-44690 and CVE-2022-44693.
Both CVE-2022-44690 and CVE-2022-44693 (CVSS score 8.8) are remote code execution vulnerabilities that affect all SharePoint versions, starting from MS SharePoint Enterprise Server 2013 SP 1.
â€œIt [CVE-2022-44693] has low complexity, uses the network vector, and requires no privilege escalation. To exploit it, attackers only need access to the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default,â€ Walters said. â€œThis vulnerability does not require user interaction; once attackers get the appropriate credentials, they can execute code remotely on a target SharePoint server.â€
CVE-2022-41089 (CVSS score 8.8) in .NET Framework, versions 3.5 through 4.8. Walters explained that it has low complexity, uses the network vector and requires no privilege escalation. â€œThe only reason why Microsoft has not assigned it a score of 10 is that it requires a user to interact with the attacker environment somehow â€“ for example, by visiting a malicious site,â€ Walters said.
CVE-2022-41076 (CVSS score 8.5) is an RCE flaw in Windows PowerShell with low attack complexity and no user interaction. CVE-2022-41076 affects PowerShell 7.2 and 7.3 and specific Windows (7, 8.1, 10, and 11) and Windows Server versions listed hereOpens a new window .
â€œBy running malicious scripts via PowerShell, bad actors can leverage any authenticated user to trigger this vulnerability to bypass which does require admin or other elevated privileges. An authenticated attacker can then run unapproved commands on the target system,â€ Gina Geisel, product marketing manager at Automox, told Spiceworks.
iOS Vulnerability Fix
Besides the December Patch Tuesday updates, Apple also disclosed a zero-day vulnerability in iOS that was being actively exploited. Apple fixed the vulnerability through a patch update to iOS 16.1.2 a couple of weeks ago.
â€œApple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,â€ Apple noted.
Discovered by ClÃ©ment Lecigne of Google’s Threat Analysis Group, the security flaw (CVE-2022-42856Opens a new window ) affected WebKit, the web rendering engine that powers Safari browser and other apps. â€œProcessing maliciously crafted web content may lead to arbitrary code execution.â€
CVE-2022-42856 is the 10th zero-day vulnerability discovered in Apple devices in 2022.
Apple said CVE-2022-42856 only works on iOS 15.1 and prior versions. Nevertheless, the company rolled out security updates for almost all devices. An up-to-date device should have the following OS versions: macOS Ventura 13.1, macOS Monterey 12.6.2, macOS Big Sur 11.7.2, tvOS 16.2, watchOS 9.2, iOS 16.2, iPadOS 16.2, iOS 15.7.2, iPadOS 15.7.2.
Image source: Shutterstock