The February 2022 Security Update Review
February 08, 2022 | Dustin ChildsIt’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for February 2022
For February, Adobe released five bulletins addressing 17 CVEs in Adobe Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush. Two of these 17 were reported by ZDI Vulnerability Researcher Mat Powell. The update for Illustrator fixes a total of 13 bugs, the most severe of which could allow arbitrary code execution through either a buffer overflow or an Out-Of-Bounds (OOB) Write. The patch for Creative Cloud Desktop also fixes a single, Critical-rated code execution bug.
The theme of Critical-rated code execution bugs continues with the fix for After Effects. This patch addresses an OOB write bug that exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. The final Critical-rated patch from Adobe this month fixes a buffer overflow in Photoshop that could allow code execution.
The only Moderate-rated patch this month is the update for Premiere Rush. This patch fixes a bug that exists within the parsing of JPEG images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Microsoft Patches for February 2022
For February, Microsoft released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program. This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.
This volume is in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs. What’s more curious about this release is the complete lack of Critical-rated patches. Of the patches released today, 50 are rated Important and one is rated Moderate in severity. It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch. It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured.
None of the bugs are listed as under active exploit this month, while one is listed as publicly known at the time of release. Last month, Microsoft also initially listed the release as having no active attacks only to revise CVE-2022-21882 two days post release to indicate “Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.” We’ll update this blog should they change their mind this month as well.
Let’s take a closer look at some of the more interesting updates for this month, starting with a significant bug in the Windows DNS Server:
- CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.
- CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target's IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.
- CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.
- CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.
Here’s the full list of CVEs released by Microsoft for February 2022:
| CVE | Title | Severity | CVSS | Public | Exploited | Type | |
| CVE-2022-21989 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | EoP | |
| CVE-2022-21984 | Windows DNS Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE | |
| CVE-2022-23280 | Microsoft Outlook for Mac Security Feature Bypass Vulnerability | Important | 5.3 | No | No | SFB | |
| CVE-2022-21995 | Windows Hyper-V Remote Code Execution Vulnerability | Important | 7.9 | No | No | RCE | |
| CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE | |
| CVE-2022-21986 | .NET Denial of Service Vulnerability | Important | 7.5 | No | No | DoS | |
| CVE-2022-23256 | Azure Data Explorer Spoofing Vulnerability | Important | 8.1 | No | No | Spoofing | |
| CVE-2022-21844 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21926 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21927 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21957 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE | |
| CVE-2022-23271 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 6.5 | No | No | EoP | |
| CVE-2022-23272 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 8.1 | No | No | EoP | |
| CVE-2022-23273 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | Important | 7.1 | No | No | EoP | |
| CVE-2022-23274 | Microsoft Dynamics GP Remote Code Execution Vulnerability | Important | 8.3 | No | No | RCE | |
| CVE-2022-23269 | Microsoft Dynamics GP Spoofing Vulnerability | Important | 6.9 | No | No | Spoofing | |
| CVE-2022-23262 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 6.3 | No | No | EoP | |
| CVE-2022-23263 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important | 7.7 | No | No | EoP | |
| CVE-2022-22716 | Microsoft Excel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info | |
| CVE-2022-22004 | Microsoft Office ClickToRun Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-22003 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-23252 | Microsoft Office Information Disclosure Vulnerability | Important | 5.5 | No | No | Info | |
| CVE-2022-21988 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-23255 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability | Important | 5.9 | No | No | SFB | |
| CVE-2022-23254 | Microsoft Power BI Elevation of Privilege Vulnerability | Important | 4.9 | No | No | EoP | |
| CVE-2022-21968 | Microsoft SharePoint Server Security Feature BypassVulnerability | Important | 4.3 | No | No | SFB | |
| CVE-2022-21987 | Microsoft SharePoint Server Spoofing Vulnerability | Important | 8 | No | No | Spoofing | |
| CVE-2022-21965 | Microsoft Teams Denial of Service Vulnerability | Important | 7.5 | No | No | DoS | |
| CVE-2022-22715 | Named Pipe File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-21974 | Roaming Security Rights Management Services Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-23276 | SQL Server for Linux Containers Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-21991 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | Important | 8.1 | No | No | RCE | |
| CVE-2022-22709 | VP9 Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21996 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-22710 | Windows Common Log File System Driver Denial of Service Vulnerability | Important | 5.5 | No | No | DoS | |
| CVE-2022-21981 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-22000 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-21998 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info | |
| CVE-2022-21994 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-22712 | Windows Hyper-V Denial of Service Vulnerability | Important | 5.6 | No | No | DoS | |
| CVE-2022-21992 | Windows Mobile Device Management Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21997 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.1 | No | No | EoP | |
| CVE-2022-21999 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-22717 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP | |
| CVE-2022-22718 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-22001 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP | |
| CVE-2022-21985 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | Important | 5.5 | No | No | Info | |
| CVE-2022-21971 | Windows Runtime Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE | |
| CVE-2022-21993 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | Important | 7.5 | No | No | Info | |
| CVE-2022-22002 | Windows User Account Profile Picture Denial of Service Vulnerability | Important | 5.5 | No | No | DoS | |
| CVE-2022-23261 | Microsoft Edge (Chromium-based) Tampering Vulnerability | Moderate | 5.3 | No | No | Tampering | |
| CVE-2022-0452 * | Chromium: CVE-2022-0452 Use after free in Safe Browsing | High | N/A | No | No | N/A | |
| CVE-2022-0453 * | Chromium: CVE-2022-0453 Use after free in Reader Mode | High | N/A | No | No | N/A | |
| CVE-2022-0454 * | Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE | High | N/A | No | No | N/A | |
| CVE-2022-0455 * | Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode | High | N/A | No | No | N/A | |
| CVE-2022-0456 * | Chromium: CVE-2022-0456 Use after free in Web Search | High | N/A | No | No | N/A | |
| CVE-2022-0457 * | Chromium: CVE-2022-0457 Type Confusion in V8 | High | N/A | No | No | N/A | |
| CVE-2022-0458 * | Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip | High | N/A | No | No | N/A | |
| CVE-2022-0459 * | Chromium: CVE-2022-0459 Use after free in Screen Capture | High | N/A | No | No | N/A | |
| CVE-2022-0460 * | Chromium: CVE-2022-0460 Use after free in Window Dialog | Medium | N/A | No | No | N/A | |
| CVE-2022-0461 * | Chromium: CVE-2022-0461 Policy bypass in COOP | Medium | N/A | No | No | N/A | |
| CVE-2022-0462 * | Chromium: CVE-2022-0462 Inappropriate implementation in Scroll | Medium | N/A | No | No | N/A | |
| CVE-2022-0463 * | Chromium: CVE-2022-0463 Use after free in Accessibility | Medium | N/A | No | No | N/A | |
| CVE-2022-0464 * | Chromium: CVE-2022-0464 Use after free in Accessibility | Medium | N/A | No | No | N/A | |
| CVE-2022-0465 * | Chromium: CVE-2022-0465 Use after free in Extensions | Medium | N/A | No | No | N/A | |
| CVE-2022-0466 * | Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform | Medium | N/A | No | No | N/A | |
| CVE-2022-0467 * | Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock | Medium | N/A | No | No | N/A | |
| CVE-2022-0468 * | Chromium: CVE-2022-0468 Use after free in Payments | Medium | N/A | No | No | N/A | |
| CVE-2022-0469 * | Chromium: CVE-2022-0469 Use after free in Cast | Medium | N/A | No | No | N/A | |
| CVE-2022-0470 * | Chromium: CVE-2022-0470 Out of bounds memory access in V8 | Low | N/A | No | No | N/A |
* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the additional remote code execution bugs in this month’s patch release, the updates for HVEC and VP9 video extensions. Microsoft indicates this requires the exploit to be local. However, they also state viewing a specially crafted image file could result in Windows Explorer crashing. If this is the case, it stands to reason the image file could also be hosted on an SMB share, which would make this a remote exploit vector rather than local. The updates for these extensions can be found in the Microsoft Store, so you really only need to verify you have the updated versions unless you are in a disconnected environment.
In addition to those already mentioned, there are nine additional remote code execution-related patches this month. There’s an update for Roaming Security Rights Management Services, but Microsoft offers no information on how an attacker could exploit this vulnerability. There are also no details for the Windows Runtime or the Mobile Device Management bug. If you’re using Windows for MDM, definitely take this update seriously. There are also a couple of open-and-own Office bugs getting fixed. The RCE bugs are rounded out by updates for Dynamics 365 (on-prem) and Dynamics GP.
Speaking of Dynamics GP, there are three patches fixing elevation of privilege (EoP) bugs in the component. Those are three of the 18 EoP patches in this month’s release. This includes an update for the Windows Kernel that is listed as publicly known. The remaining patches are mostly in other Windows components and require a logged-on user to execute a specially crafted program. The other EoP updates that stand out fix vulnerabilities in the Windows Print Spooler. Ever since PrintNightmare, the print spooler has been an attractive target for attackers and researchers alike. Pay special attention to CVE-2022-21999 since it was reported during the Tianfu Cup. Other bugs associated with this contest have been used in active attacks.
Moving on to the Security Feature Bypass (SFB) updates, there are two in addition to the previously mentioned one in Outlook for Mac. The bug in OneDrive for Android requires physical access to an unlocked phone but could allow an attacker to access OneDrive files while bypassing authentication. Really, if an attacker has access to your unlocked Android, this bug is probably the least of your concerns. The SFB for SharePoint is more severe since it could allow an attacker to bypass the blocking of HTTP requests based on IP range.
There are five patches fixing Denial-of-Service (DoS) bugs in this month’s release, and the one for Microsoft Teams stands out. While Microsoft provides no details about the exploit, it does indicate all versions of Teams need an update, including iOS and Android versions. The DoS in Hyper-V server should also be noted as successful exploitation could affect functionality of a Hyper-V host. The DoS vulnerability in .NET affects applications using the Kestrel web server. If you aren’t familiar with it, Kestrel is a cross-platform server within ASP.NET Core and is enabled by default. If you’re using Kestrel as an Internet-facing server, definitely apply this patch to prevent a DoS while handling certain HTTP/2 and HTTP/3 requests.
The February release contains three patches for spoofing bugs. There’s a patch for Azure Data Explorer. To receive the update, you will need to restart the Kusto.Explorer application. Dynamics GP receives an update here that could almost be considered code execution. While the vulnerability is in the web server, successful exploitation could allow malicious scripts to execute in the user’s browser on the target machine. And while spoofing bugs in SharePoint usually mean some form, the bug getting patched this month is different. An authenticated attacker could manipulate a SharePoint page they control to trick targeted users into sending attacker-controlled requests to the server under the permissions context of the target.
The lone Moderate-rated patch this month addresses a tampering bug in the Edge (Chromium-based) web browser.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday falls on March 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!