Microsoft has addressed 71 security vulnerabilities in its scheduled March Patch Tuesday update – only three of which are rated critical in severity. The other 68 are all rated “important.”
Three of the bugs are listed as publicly known zero-days, but none of them are listed as having been exploited in the wild (thus far).
The issues affect the gamut of the computing giant’s portfolio, including Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype, .NET and Visual Studio, Windows RDP, SMB Server.
Notably, the tranche also contains the first-ever patch for the Xbox gaming console.
It’s worth noting that the update marks the second month in a row with a surprisingly low number of critical patches; in fact, February’s Patch Tuesday update didn’t list any.
“The number of critical-rated patches is again strangely low for this number of bugs,” Trend Micro Zero-Day Initiative researcher Dustin Childs noted in an email. “It’s unclear if this low percentage of bugs is just a coincidence, or if Microsoft might be evaluating the severity using different calculus than in the past.”
Critical-Rated Microsoft Security Bugs
The three critical bugs, all of which could lead to remote code execution, are:
- CVE-2022-22006: HEVC Video Extensions (CVSS rating of 7.8)
- CVE-2022-24501: VP9 Video Extensions (CVSS rating of 7.8)
- CVE-2022-23277: Microsoft Exchange Server (CVSS rating of 8.8)
Both video extensions bugs, in HEVC and VP9, require social engineering; an attacker would need to convince a victim to download and open a specially crafted file, which could lead to a crash, according to Microsoft’s advisory.
The video extensions are coding standards for video compression that Windows is able to run so that users can watch high-fidelity videos. Paul Laudanski, head of threat intelligence at Tessian, noted that the likelihood of compromise is low, thanks to the user-interaction requirement.
That said, the VP9 bug is more crucial for patching, he said: “VP9 is supported by modern day browsers except for Internet Explorer, so it is critical for users to ensure they are updating them. While VP9 is open and royalty free, the other file code affected, HEVC, is one that users have to purchase a license for.”
The vulnerability in Exchange Server meanwhile would allow an authenticated attacker to target server accounts with the aim of executing code with elevated privileges, through a network call. Laudanski added that the vulnerability arises from the server not correctly handling objects in memory, which can lead to code execution.
Here, the attacker must be authenticated. Even so, “this is also listed as low complexity with exploitation more likely, so it wouldn’t surprise me to see this bug exploited in the wild soon,” Childs noted. “Test and deploy this to your Exchange servers quickly.”
Kevin Breen, director of cyber-threat research at Immersive Labs, agreed. “While requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email,” he said via email.
Claire Tills, senior research engineer at Tenable, meanwhile told Threatpost: ” Given the prevalence of attacks against Microsoft Exchange flaws in the past, organizations should apply the available updates immediately.”
Publicly Known Bugs
Meanwhile, the three zero-day issues are:
- CVE-2022-21990 – Remote Desktop Client (CVSS rating of 8.8, allows RCE)
- CVE-2022-24512 – .NET and Visual Studio (CVSS rating of 6.3, allows RCE)
- CVE-2022-24459 – Windows Fax and Scan Service (CVSS rating of 7.8, allows elevation of privilege)
The RDP client issue deserves to be treated as though it was designated critical, Childs said.
“This client-side bug doesn’t have the same punch as server-side-related RDP, but since it’s listed as publicly known, it makes sense to treat this as a critical-rated bug,” he said. “This isn’t as severe as BlueKeep or some of the other RDP server bugs, but it definitely shouldn’t be overlooked.”
With regards to attack vector, a threat actor would need to lure an affected RDP client to connect to a malicious RDP server, which would allow the person to trigger code execution on the targeted client, Childs explained.
Breen pointed out that the bug is one of three RCE bugs affecting RDP included in the advisory; the other two are CVE-2022-23285 (CVSS 8.8) and CVE-2022-24503 (CVSS 5.4).
“With the increase in remote working driving the expansion of the attack surface presented by RDP, a trio of RCE vulnerabilities affecting this protocol should be on security teams’ radar,” Breen said via email. “[They] are a potential concern especially as this infection vector is commonly used by ransomware actors. While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority.”
The second known RCE bug is much less of a concern, according to Microsoft’s advisory.
“While we cannot rule out the impact to confidentiality, integrity and availability, the ability to exploit this vulnerability by itself is limited,” according to the company. “An attacker would need to combine this with other vulnerabilities to perform an attack.”
Plus, a targeted user would need to be lured to trigger a payload within the application.
Microsoft offered no technical details about the third publicly known bug.
Other March Vulnerabilities of Interest
Researchers flagged a handful of other issues to patch quickly, including CVE-2022-24508, which exists in the Windows SMBv3 client and server, and which could lead to RCE on Windows 10 version 2004 and newer systems.
“Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network,” Childs explained. “This is another one I would treat as critical and mitigate quickly.”
Breen again agreed, and noted that Microsoft offered additional mitigations.
“Another potential component of lateral movement, remotely executable CVE-2022-24508 in Windows SMB v3, seems to be one to watch out for,” he said. “While successful exploitation requires valid credentials, Microsoft provides advice on limiting SMB traffic in lateral and external connections. While this is a strong step in providing defense in depth, blocking such connections can also have an adverse effect on other tools using these connections, something to be considered in mitigation attempts.”
He also flagged three privilege-escalation vulnerabilities (CVE-2022-23286 in the Windows Cloud Files Mini Filter Driver; CVE-2022-24507 in the Windows Ancillary Function Driver for WinSock; and CVE-2022-23299 in Windows PDEV) as ones to prioritize, since they “could form the connective tissue in any multi-stage attack, are marked as more likely to be exploited and also therefore warrant interest. Addressing these will stop a potentially limited incursion becoming more serious.”
And finally, the Xbox bug (CVE-2022-21967) exists in the Xbox Live authentication manager for Windows, and can allow elevation of privilege. It’s notable for its uniqueness.
“This appears to be the first security patch impacting Xbox specifically,” Childs said. “There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself.”
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.