Microsoft's Patch Tuesday fixes 70 vulnerabilities after a troublesome January update

Microsoft's latest round of security updates for Windows, often referred to as 'Patch Tuesday', have been released addressing a total of 70 vulnerabilities across Microsoft and Windows products.

The latest round of patches include fixes for 17 privilege escalation flaws, 16 remote code execution (RCE) issues, 22 Chromium-based Edge browser flaws, and three security feature bypasses, among others.

None of the vulnerabilities are rated critical - categorised by a CVSSv3.1 score of 8.9 or higher - though there are a significant number that have a score of 8.8, just shy of critical status and categorised as 'important'.

There is also no known active exploitation of any of the 70 vulnerabilities fixed by Microsoft at the time of writing, though proof of concept (PoC) code does exist for a small number of them, meaning businesses should apply patches regardless of the level of exploitation currently.

"It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch," said Dustin Childs at the Zero-Day Initiative.

"It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured."

Among the most severe of the 70 bugs addressed in this week's update are issues related to Microsoft SharePoint, an assortment of Windows 10 and Windows Server versions, Azure Data Explorer, and Visual Studio code.

Patch Tuesday highlights

Windows DNS Server RCE Vulnerability - CVE-2022-21984

Given a score of 8.8/10, this RCE flaw is among the most severe in this week's patch list and is considered by Microsoft to be a low complexity attack, require low levels of privileges in order to execute, and could result in "a total loss of availability". If exploited, the attacker could fully deny access to resources in the impacted component.

Qualys said: "the server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might entirely take control of your DNS and execute code with elevated privileges if you have this set up in your environment."

Windows Kernel Elevation of Privilege Vulnerability - CVE-2022-21989

Although on the lower-end of the severity scores with a CVSSv3.1 rating of 7.8/10, this privilege escalation flaw has PoC available which led Microsoft to describe this particular vulnerability as more likely to be exploited.

It also noted this is a high complexity attack and likely only able to be carried by a sophisticated threat actor given that exploitation success is dependent on conditions beyond the attacker's control.

"A successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected," said Microsoft.

Given the local attack vector, a hacker would either need physical access to the target machine via its own connected keyboard and mouse. Alternatively, a remote attack could feasibly work via SSH remote access or tricking a user into opening a malicious document.

Microsoft SharePoint Server RCE Vulnerability - CVE-2022-22005

Another of the "more likely" vulnerabilities patched in this update is an 8.8/10-rated RCE flaw affecting Microsoft SharePoint Server. A low complexity attack requiring low levels of privileges, Microsoft said "an attacker can expect repeatable success against the vulnerable component" due to the absent specialised access conditions or extenuating circumstances required to achieve exploitation.

Windows administrators can access the updates via Microsoft Update Catalogue.

Patch Tuesday problems

January's Patch Tuesday caused somewhat of an uproar among Windows administrators last month which led many to forgo the myriad security patches released by Microsoft, including a number of zero-day vulnerabilities.

Online discussions revealed many admins were complaining that updates were breaking core components of their business environments and some uninstalled the updates entirely to resume normal order.

Experts at the time commented that security patches are almost always recommended to be applied as soon as they become available, but it "is very much a question of risk management and risk assessment," according to Andy Norton, European cyber risk officer at Armis.

It's not generally advised to ignore security updates, but if they are causing more disruption than they potentially may fix, then businesses may feel it would be better to wait a month for a more stable version to be released.

"January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to re-issue updates to fix some unexpected issues caused by the updates," said Kev Breen, director of cyber threat research at Immersive Labs to IT Pro in relation to today's patches.

"This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy."