Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
Patch Tuesday: 51 MS Flaws Fixed - Important, Not CriticalMicrosoft Also Announces Default Change for Macros
Technology giant Microsoft has released patches for 51 vulnerabilities as part of its Patch Tuesday announcement. None of the fixes are for critical bugs, and three are rereleased patches.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
On the heels of this announcement, Microsoft says in a blog post that it will block internet macros by default in its Office applications.
With no critical vulnerabilities listed under active exploits in February, most of the latest fixes are rated as "important." They are also more likely to be exploited, it adds.
"A total of five of these bugs came through the ZDI program. This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs," according to Dustin Childs, a security analyst for Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro. "This volume is in line with February releases from previous years, which, apart from 2020, tend to be around 50 CVEs."
Tuesday's update fixes vulnerabilities including privilege escalation flaws, remote code execution exploits, spoofing issues, denial-of-service, security feature bypass and information disclosure, as well as Edge Chromium vulnerabilities, according to the patch update statement. The bugs were discovered on Microsoft Windows and Windows components, Azure Data Explorer, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office components, Windows Hyper-V Server, SQL Server, Visual Studio Code, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library and Microsoft Teams, it says.
The "complete lack of critical-rated patches" has come as a surprise, Childs says. "Of the patches released today, 50 are rated important and one is rated moderate in severity. It may have happened before, but I can't find an example of a monthly release from Microsoft that doesn't include at least one critical-rated patch," he says.
Last month, the Redmond-based firm released and patched a massive 122 CVEs. Of these, nine were rated critical in severity, 89 were important and six were zero-day vulnerabilities (see: Microsoft Patch Tuesday: An 'Unusually Large' Patch Release).
In January, Microsoft issued a workaround to fix a fatal error that disrupted email delivery due to a date check failure with the change of the year to 2022 (see: Microsoft Exchange Fixes Disruptive 'Y2K22' Bug).
CVE-2022-21984 is a Windows DNS server remote code execution vulnerability that is affected if dynamic updates are enabled. But this is a relatively common configuration, says Childs. He says an attacker could completely take over DNS and execute code with elevated privileges if a user has this set up in their environment.
"Since dynamic updates aren’t enabled by default, this doesn’t get a critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as critical," Childs says.
CVE-2022-23280 is a Microsoft Outlook for Mac security feature bypass vulnerability that may allow images to appear in the Preview Pane automatically, even if this option is disabled.
"Exploiting this will only expose the target's IP information. However, it's possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version," Childs says.
CVE-2022-22005 is a Microsoft SharePoint server remote code execution vulnerability that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application.
This vulnerability is listed as remote code execution, but the attacker also requires authenticated access with the ability to create new pages, says Kev Breen, director of cyberthreat research at cybersecurity firm Immersive Labs.
"This kind of vulnerability would likely be abused by an attacker that already has an initial foothold to move laterally across the network. For organizations that use SharePoint for internal wikis or document stores, attackers could use this vulnerability to steal confidential information or replace documents with new versions that contain malicious code or macros to help them infect other systems," Breen says.
CVE-2022-21989 is an elevation of privilege vulnerability that Microsoft has resolved in Windows Kernel, says Chris Goettl, vice president of product management at IT and security automation services provider Ivanti.
"Exploit code maturity is at proof of concept. This means much of the initial investigative work for a weaponized exploit has already been done and details could be publicly available to threat actors. This increases the risk of exploitation of this vulnerability," Goettl says.
Print Spooler Vulnerabilities
Microsoft also resolved these four CVEs - CVE-2022-21999, CVE-2022-21997, CVE-2022-22718 and CVE-2022-22717), which affect Windows Print Spooler and could allow elevation of privileges. Three of these vulnerabilities were discovered by external researchers.
"Is it really Patch Tuesday if we don't talk about a vulnerability in the Windows Print Spooler components?" says Breen. "They are all listed as elevation of privilege, which forms a key part of the attack chain. Once initial access has been gained, attackers will quickly seek to gain administrator level access so they can move across the network, compromise other devices and avoid detection by disabling security tooling."
Ever since PrintNightmare, the Print Spooler has been an attractive target for attackers and researchers alike. Pay special attention to CVE-2022-21999 since it was reported during the Tianfu Cup. Other bugs associated with this contest have been used in active attacks, Childs says.
On Jan. 13, the company announced its discovery that CVE-2022-21882, a Win32k elevation of privilege vulnerability had been exploited.
The vulnerability has been observed in attacks in the wild in combination with other vulnerabilities, including an even older elevation of privilege vulnerability - CVE-2021-1732, Goettl says.
"This stresses the need to keep up with new security updates and ensure that older vulnerabilities have been resolved as well. CISA has added this vulnerability to the known exploited vulnerabilities catalog, which has now grown to 352 entries," he says.
Microsoft has also patched another Win32k elevation of privilege vulnerability, tracked as CVE-2022-21996, which is being actively exploited in the wild.
Breen says it is unclear whether this is a brand-new vulnerability or if it is related to the previous month's update. "Either way, we have seen attackers leverage this vulnerability so it's safer to err on the side of caution and update this one quickly," Breen says.
"January's patch release may have left some IT teams feeling somewhat sour as Microsoft had to reissue updates to fix some unexpected issues caused by the updates. This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen says.
CVE-2022-21995 is a remote code execution flaw affecting Windows Hyper-V. Microsoft marks the CVSS exploit complexity as "high," stating that an attacker "must prepare the target environment to improve exploit reliability."
"Since this is the case for most exploits, it's not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it's recommended to treat this as a critical update," Childs says.
According to Ivanti, Microsoft has offered updates for products affected by a remote code execution vulnerability tracked as CVE-2019-0887.
The original fix for this bug was released in July 2019. This CVE also received a revision in December 2021, covering Windows 11 and Server 2022, the firm says.
Another rerelease was a fix in Windows Kernel Memory to resolve an information disclosure vulnerability tracked as CVE-2021-34500. The fix was first released in July 2021. Microsoft also revised affected platforms for an update in Microsoft Diagnostics Hub Standard Collector Runtime, which could allow an elevation of privilege flaw tracked as CVE-2022-21871. The fix was first released in January 2022.
In a separate development, Kellie Eickmeyer, Microsoft's principal program manager, says in a Microsoft blog post that the company is introducing a default change for five Office apps that run macros.
"Visual Basic for Applications (VBA) macros obtained from the internet will now be blocked by default. The default is more secure and is expected to keep more users safe, including home users and information workers in managed organizations," the post says.
Microsoft's move to limit default functionality of macros from the internet is long overdue, says Jake Williams, a former member of the National Security Agency's elite hacking team and a research analyst. He tells ISMG: "This won't solve the malware problem, but removing this key attack vector will help dramatically. Enterprise security teams have been asking for increased security controls around macros for years."
Williams says that by effectively removing this simplistic attack vector, enterprise security teams can focus on hunting for more advanced threats in their environments.
Microsoft says that users will no longer be able to enable content with the click of a button for macros in files obtained from the internet. In addition, a notification bar will warn users about the external file and provide more details.
"For years, Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end-users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss and remote access," Eickmeyer says.
The company says the latest move will only affect devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The changes will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Microsoft also plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.