Tech large Microsoft launched its final set of month-to-month safety updates for 2022 with fixes for 49 vulnerabilities throughout its software program merchandise.
Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are along with 24 vulnerabilities which have been addressed within the Chromium-based Edge browser because the begin of the month.
December’s Patch Tuesday plugs two zero-day vulnerabilities, one which’s actively exploited and one other situation that is listed as publicly disclosed on the time of launch.
The former pertains to CVE-2022-44698 (CVSS rating: 5.4), one of many three safety bypass points in Windows SmartScreen that may very well be exploited by a malicious actor to evade mark of the net (MotW) protections.
It’s price noting that this situation, at the side of CVE-2022-41091 (CVSS rating: 5.4), has been noticed being exploited by Magniber ransomware actors to ship rogue JavaScript information inside ZIP archives.
“It permits attackers to craft paperwork that will not get tagged with Microsoft’s ‘Mark of the Web’ regardless of being downloaded from untrusted websites,” Rapid7’s Greg Wiseman mentioned. “This means no Protected View for Microsoft Office paperwork, making it simpler to get customers to do sketchy issues like execute malicious macros.”
Publicly disclosed, however not seen actively exploited, is CVE-2022-44710 (CVSS rating: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that might allow an adversary to realize SYSTEM privileges.
“Successful exploitation of this vulnerability requires an attacker to win a race situation,” Microsoft identified in an advisory.
Also patched by Microsoft are a number of distant code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Windows Secure Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.
Furthermore, the replace additionally resolves 11 distant code execution vulnerabilities in Microsoft Office Graphics, OneNote, and Visio, all of that are rated 7.8 within the CVSS scoring system.
Two of the 19 elevation of privilege flaws remediated this month contains fixes for the Windows Print Spooler element (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), persevering with a gradual stream of patches launched by the corporate over the previous 12 months.
Last however not least, Microsoft has assigned the “Exploitation More Likely” tag to the PowerShell distant code execution vulnerability (CVE-2022-41076, CVSS rating: 8.5) and Windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS rating: 7.8), making it important that customers apply updates to mitigate potential threats.
Software Patches from Other Vendors
In addition to Microsoft, safety updates have additionally been launched by different distributors over the previous two weeks to rectify a number of vulnerabilities, together with —