IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's Patch Tuesday fixes 70 vulnerabilities after a troublesome January update

Microsoft will be hoping for a bug-free round of patches after admins complained of January's updates breaking more components than they fixed

Microsoft's latest round of security updates for Windows, often referred to as 'Patch Tuesday', have been released addressing a total of 70 vulnerabilities across Microsoft and Windows products.

The latest round of patches include fixes for 17 privilege escalation flaws, 16 remote code execution (RCE) issues, 22 Chromium-based Edge browser flaws, and three security feature bypasses, among others.

None of the vulnerabilities are rated critical - categorised by a CVSSv3.1 score of 8.9 or higher - though there are a significant number that have a score of 8.8, just shy of critical status and categorised as 'important'.

There is also no known active exploitation of any of the 70 vulnerabilities fixed by Microsoft at the time of writing, though proof of concept (PoC) code does exist for a small number of them, meaning businesses should apply patches regardless of the level of exploitation currently.

"It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch," said Dustin Childs at the Zero-Day Initiative. 

"It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured."

Among the most severe of the 70 bugs addressed in this week's update are issues related to Microsoft SharePoint, an assortment of Windows 10 and Windows Server versions, Azure Data Explorer, and Visual Studio code

Patch Tuesday highlights

Windows DNS Server RCE Vulnerability - CVE-2022-21984

Given a score of 8.8/10, this RCE flaw is among the most severe in this week's patch list and is considered by Microsoft to be a low complexity attack, require low levels of privileges in order to execute, and could result in "a total loss of availability". If exploited, the attacker could fully deny access to resources in the impacted component.

Qualys said: "the server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might entirely take control of your DNS and execute code with elevated privileges if you have this set up in your environment."

Windows Kernel Elevation of Privilege Vulnerability - CVE-2022-21989

Although on the lower-end of the severity scores with a CVSSv3.1 rating of 7.8/10, this privilege escalation flaw has PoC available which led Microsoft to describe this particular vulnerability as more likely to be exploited. 

It also noted this is a high complexity attack and likely only able to be carried by a sophisticated threat actor given that exploitation success is dependent on conditions beyond the attacker's control. 

"A successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected," said Microsoft.

Given the local attack vector, a hacker would either need physical access to the target machine via its own connected keyboard and mouse. Alternatively, a remote  attack could feasibly work via SSH remote access or tricking a user into opening a malicious document. 

Microsoft SharePoint Server RCE Vulnerability - CVE-2022-22005

Another of the "more likely" vulnerabilities patched in this update is an 8.8/10-rated RCE flaw affecting Microsoft SharePoint Server. A low complexity attack requiring low levels of privileges, Microsoft said "an attacker can expect repeatable success against the vulnerable component" due to the absent specialised access conditions or extenuating circumstances required to achieve exploitation.

Windows administrators can access the updates via Microsoft Update Catalogue.

Patch Tuesday problems

January's Patch Tuesday caused somewhat of an uproar among Windows administrators last month which led many to forgo the myriad security patches released by Microsoft, including a number of zero-day vulnerabilities

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

Online discussions revealed many admins were complaining that updates were breaking core components of their business environments and some uninstalled the updates entirely to resume normal order. 

Experts at the time commented that security patches are almost always recommended to be applied as soon as they become available, but it "is very much a question of risk management and risk assessment," according to Andy Norton, European cyber risk officer at Armis.

It's not generally advised to ignore security updates, but if they are causing more disruption than they potentially may fix, then businesses may feel it would be better to wait a month for a more stable version to be released.

"January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to re-issue updates to fix some unexpected issues caused by the updates," said Kev Breen, director of cyber threat research at Immersive Labs to IT Pro in relation to today's patches. 

"This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy."

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022