The December 2022 Security Update Review
December 13, 2022 | Dustin ChildsWelcome to the final Patch Tuesday of 2022, and the first since Pwn2Own Toronto. As always, Adobe and Microsoft have released their latest security fixes just in time for the winter holidays. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for December 2022
For December, Adobe released three patches fixing 37 CVEs in Illustrator, Experience Manager, and Adobe Campaign Classic. One of these bugs was reported through the ZDI program. All of the patches are rated Important in severity. The largest is the update for Experience Manager, which covers 32 bugs. The most severe of these could allow code execution through cross-site scripting (XSS). The fix for Illustrator addresses four memory leaks. The final patch for Campaign corrects a single privilege escalation bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for December 2022
This month, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. This is in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall. A total of 12 of these CVEs were submitted through the ZDI program.
Of the 52 new patches released today, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity. December is typically a light month for Microsoft patches, and this year is no exception. It’s also the smallest monthly release this year. Overall, 2022 was Microsoft’s second busiest ever with Microsoft fixing over 900 CVEs in total.
One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
This bug has been widely discussed on the bird site and is likely related to the Mark of the Web bug patched last month. In this case, a file could be created that evades the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks. It’s good to see Microsoft (finally) address these bugs.
- CVE-2022-44713 – Microsoft Outlook for Mac Spoofing Vulnerability
We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice. This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.
- CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system. Threat actors often try to “live off the land” after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.
- CVE-2022-44699 – Azure Network Watcher Agent Security Feature Bypass Vulnerability
As someone who has done extensive incident response in the past, I know all too well the importance of good logs. That’s why this patch stood out to me. This bug would allow someone to terminate the packet capture from the Network Watcher agent. There might not be many enterprises relying on this tool, but for those using this VM extension, this fix should be treated as critical and deployed quickly.
Here’s the full list of CVEs released by Microsoft for December 2022:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2022-44698 | Windows SmartScreen Security Feature Bypass Vulnerability | Moderate | 5.4 | No | Yes | SFB |
CVE-2022-44710 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | EoP |
CVE-2022-41127 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability | Critical | 8.5 | No | No | RCE |
CVE-2022-44690 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
CVE-2022-44693 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
CVE-2022-41076 | PowerShell Remote Code Execution Vulnerability | Critical | 8.5 | No | No | RCE |
CVE-2022-44670 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-44676 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2022-41089 | .NET Framework Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-44699 | Azure Network Watcher Agent Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
CVE-2022-44708 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 8.3 | No | No | EoP |
CVE-2022-41115 | Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability | Important | 6.6 | No | No | EoP |
CVE-2022-26804 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-26805 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-26806 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44692 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-47211 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-47212 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-47213 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44691 | Microsoft Office OneNote Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44694 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44695 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44696 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44713 | Microsoft Outlook for Mac Spoofing Vulnerability | Important | 7.5 | No | No | Spoofing |
CVE-2022-44704 | Microsoft Windows Sysmon Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-24480 | Outlook for Android Elevation of Privilege Vulnerability | Important | 6.3 | No | No | EoP |
CVE-2022-44687 | Raw Image Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44675 | Windows Bluetooth Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44674 | Windows Bluetooth Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-44673 | Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-44666 | Windows Contacts Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44669 | Windows Error Reporting Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-41077 | Windows Fax Compose Form Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-41121 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44671 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44680 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-41074 | Windows Graphics Component Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-44679 | Windows Graphics Component Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2022-44682 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.8 | No | No | DoS |
CVE-2022-41094 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44707 | Windows Kernel Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-44683 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44667 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44668 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44678 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44681 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44677 | Windows Projected File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44689 | Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-44702 | Windows Terminal Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-44684 | Windows Local Session Manager (LSM) Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-44688 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Moderate | 4.3 | No | No | Spoofing |
CVE-2022-44697 | Windows Graphics Component Elevation of Privilege Vulnerability | Moderate | 7.8 | No | No | EoP |
Looking at the remaining Critical-rated fixes, there are two patches for the older Secure Socket Tunneling Protocol (SSTP). Both could allow a remote, unauthenticated threat actor to get code execution on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, you should disable it. If you are using it, test and deploy these patches quickly. There are also two Critical-rated code execution bugs in SharePoint server, and we’ve seen SharePoint exploited in the wild with older, patched bugs. Definitely make sure you’re patching your SharePoint instances. The final Critical bug resides in Dynamics AV and could allow an authenticated attacker to execute code in the context of the server’s account through a network call.
Beyond these, there are 16 other remote code execution bugs getting fixes this December, including multiple Office bugs reported by ZDI research Mat Powell. Most of these are the open-a-file-get-owned sort, but a couple of these patches are worth a second look. The update for the .NET Framework seems to hit every supported version, but no additional information about the bug itself is available. Two different researchers are credited for it, which implies a bug collision from multiple sources. I always pay extra attention to bugs when multiple people have independently reported them. Finally, the update for Windows Terminal is found in the Windows Store, so it should be automatically applied. However, if you have disabled automatic Store updates or are in a disconnected environment, you’ll need to apply the patch by hand.
There are 18 patches addressing Elevation of Privilege (EoP) bugs in this month’s release. For the most part, these bugs require an authenticated user to execute specially crafted code on an affected system to escalate privileges. However, there are a few that deserve extra scrutiny. The first two are yet more fixes for the Print Spooler service. The long tail of PrintNightmare grows even longer. The bug in the DirectX Graphics Kernel is the one bug listed as public for December. I already mentioned incident response and living off the land. The bug in Sysinternals Sysmon combines both as many responders rely on Sysinternals services. Exploiting these for privilege escalation would certainly be something. The final EoP of note is a bug in Hyper-V that would allow an attacker to execute code with SYSTEM privileges.
The December release includes three information disclosure bugs. This month, they all simply result in info leaks consisting of unspecified memory contents.
There are only three Denial-of-Service (DOS) bugs receiving patches this month. The first is in Hyper-V and could allow a guest OS to “affect the functionality of the Hyper-V host.” Microsoft doesn’t make it clear if the Hyper-V host would completely shut down or if only certain services are affected. Either way, it’s not good when on guest OS can negatively impact the host OS. The other DoS bugs are in the Windows Kernel and Local Session Manager (LSM), but Microsoft provides no further information on those.
Besides the one fix for Outlook for Mac, there’s one other spoofing bug in Microsoft Edge (Chromium-based) receiving a patch this month. This bug allows an attacker to change the content of the autofill box that overlaps an error message on a specially crafted website. While interesting, I’m not sure how this would really be used in an actual attack. Still, never underestimate the ingenuity of determined threat actors.
Finally, there is one new advisory (ADV220005) this month providing additional guidance on third-party drivers that appear to be certified by the Microsoft Windows Hardware Developer Program. According to Microsoft, drivers that appear to have been certified by this program have been seen in the wild in post-exploitation activity. There are no servicing stack updates this month.
Looking Ahead
The first Patch Tuesday of 2023 will be on January 10, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, Merry Christmahanakwanzika, happy patching, and may all your reboots be smooth and clean!