Select Page

Microsoft on Tuesday rolled out its monthly security updates with fixes for 51 vulnerabilities across its software line-up consisting of Windows, Office, Teams, Azure Data Explorer, Visual Studio Code, and other components such as Kernel and Win32k.

Among the 51 defects closed, 50 are rated Important and one is rated Moderate in severity, making it one of the rare Patch Tuesday updates without any fixes for Critical-rated vulnerabilities. This is also in addition to 19 more flaws the company addressed in its Chromium-based Edge browser.

None of the security vulnerabilities are listed as under active exploit, while of the flaws — CVE-2022-21989 (CVSS score: 7.8) — has been classified as a publicly disclosed zero-day at the time of the release. The issue concerns a privilege escalation bug in Windows Kernel, with Microsoft warning of potential attacks exploiting the shortcoming.

“Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment,” the company noted in its advisory. “A successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Also resolved are a number of remote code execution vulnerabilities affecting Windows DNS Server (CVE-2022-21984, CVSS score: 8.8), SharePoint Server (CVE-2022-22005, CVSS score: 8.8), Windows Hyper-V (CVE-2022-21995, CVSS score: 5.3), and HEVC Video Extensions (CVE-2022-21844CVE-2022-21926, and CVE-2022-21927, CVSS scores: 7.8).

The security update also remediates a Azure Data Explorer spoofing vulnerability (CVE-2022-23256, CVSS score: 8.1), two security bypass vulnerabilities each impacting Outlook for Mac (CVE-2022-23280, CVSS score: 5.3) and OneDrive for Android (CVE-2022-23255, CVSS score: 5.9), and two denial-of-service vulnerabilities in .NET (CVE-2022-21986, CVSS score: 7.5) and Teams (CVE-2022-21965, CVSS score: 7.5).

Microsoft also said it remediated multiple elevation of privilege flaws — four in the Print Spooler service and one in the Win32k driver (CVE-2022-21996, CVSS score: 7.8), the latter of which has been labeled “Exploitation More Likely” in light of a similar vulnerability in the same component that was patched last month (CVE-2022-21882) and has come since under active attack.

images from Hacker News