Today’s fixes from Microsoft are relatively light as far as Patch Tuesdays go. This is the first month in possibly forever where no vulnerabilities are considered Critical. A total of 70 CVEs were fixed today (including 22 that affect the Chromium browser engine, which is used by Edge).
Although 16 of this month’s vulnerabilities allow remote code execution (RCE), none carry a CVSS base score higher than 8.8. Only one vulnerability was publicly disclosed before today: CVE-2022-21989, an elevation of privilege vulnerability in the Windows Kernel. None of this month’s vulnerabilities have yet been seen exploited in the wild.
Despite the lack of Critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month. RCE vulnerabilities are also important to patch, even if they may not be considered “wormable.” In terms of prioritization, defenders should first focus on patching server systems. SharePoint has RCE (CVE-2022-22005), Security Feature Bypass (CVE-2022-21968), and Spoofing (CVE-2022-21987) vulnerabilities getting fixed today. CVE-2022-21984 is an RCE affecting DNS Server. Microsoft Dynamics administrators should also be aware that there are six CVEs being patched, including 2 RCEs, 3 allowing elevation of privilege, and a spoofing vulnerability.
On the client side, CVE-2022-22003 and CVE-2022-22004 are RCEs affecting Microsoft Office. Although this requires a local user to open a malicious file, these sorts of social engineering attacks are common and can be very effective. Updates should be rolled out to end users as soon as reasonably practicable.
Summary charts
Summary tables
Azure Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-23256 | Azure Data Explorer Spoofing Vulnerability | No | No | 8.1 | Yes |
Browser Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-23261 | Microsoft Edge (Chromium-based) Tampering Vulnerability | No | No | 5.3 | Yes |
| CVE-2022-23263 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 7.7 | Yes |
| CVE-2022-23262 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.3 | Yes |
| CVE-2022-0470 | Chromium: CVE-2022-0470 Out of bounds memory access in V8 | No | No | N/A | Yes |
| CVE-2022-0469 | Chromium: CVE-2022-0469 Use after free in Cast | No | No | N/A | Yes |
| CVE-2022-0468 | Chromium: CVE-2022-0468 Use after free in Payments | No | No | N/A | Yes |
| CVE-2022-0467 | Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock | No | No | N/A | Yes |
| CVE-2022-0466 | Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform | No | No | N/A | Yes |
| CVE-2022-0465 | Chromium: CVE-2022-0465 Use after free in Extensions | No | No | N/A | Yes |
| CVE-2022-0464 | Chromium: CVE-2022-0464 Use after free in Accessibility | No | No | N/A | Yes |
| CVE-2022-0463 | Chromium: CVE-2022-0463 Use after free in Accessibility | No | No | N/A | Yes |
| CVE-2022-0462 | Chromium: CVE-2022-0462 Inappropriate implementation in Scroll | No | No | N/A | Yes |
| CVE-2022-0461 | Chromium: CVE-2022-0461 Policy bypass in COOP | No | No | N/A | Yes |
| CVE-2022-0460 | Chromium: CVE-2022-0460 Use after free in Window Dialog | No | No | N/A | Yes |
| CVE-2022-0459 | Chromium: CVE-2022-0459 Use after free in Screen Capture | No | No | N/A | Yes |
| CVE-2022-0458 | Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip | No | No | N/A | Yes |
| CVE-2022-0457 | Chromium: CVE-2022-0457 Type Confusion in V8 | No | No | N/A | Yes |
| CVE-2022-0456 | Chromium: CVE-2022-0456 Use after free in Web Search | No | No | N/A | Yes |
| CVE-2022-0455 | Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode | No | No | N/A | Yes |
| CVE-2022-0454 | Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE | No | No | N/A | Yes |
| CVE-2022-0453 | Chromium: CVE-2022-0453 Use after free in Reader Mode | No | No | N/A | Yes |
| CVE-2022-0452 | Chromium: CVE-2022-0452 Use after free in Safe Browsing | No | No | N/A | Yes |
Developer Tools Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-21991 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-21986 | .NET Denial of Service Vulnerability | No | No | 7.5 | Yes |
ESU Windows Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-21985 | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-22718 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21999 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21997 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.1 | Yes |
| CVE-2022-22717 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-21989 | Windows Kernel Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes |
| CVE-2022-21998 | Windows Common Log File System Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-21981 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-22000 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-22710 | Windows Common Log File System Driver Denial of Service Vulnerability | No | No | 5.5 | No |
Microsoft Dynamics Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-23269 | Microsoft Dynamics GP Spoofing Vulnerability | No | No | 6.9 | Yes |
| CVE-2022-23274 | Microsoft Dynamics GP Remote Code Execution Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-23272 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-23273 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | No | No | 7.1 | No |
| CVE-2022-23271 | Microsoft Dynamics GP Elevation Of Privilege Vulnerability | No | No | 6.5 | No |
| CVE-2022-21957 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 7.2 | No |
Microsoft Office Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-21965 | Microsoft Teams Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21987 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes |
| CVE-2022-21968 | Microsoft SharePoint Server Security Feature BypassVulnerability | No | No | 4.3 | Yes |
| CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-23280 | Microsoft Outlook for Mac Security Feature Bypass Vulnerability | No | No | 5.3 | Yes |
| CVE-2022-23255 | Microsoft OneDrive for Android Security Feature Bypass Vulnerability | No | No | 5.9 | Yes |
| CVE-2022-21988 | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-23252 | Microsoft Office Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-22003 | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22004 | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22716 | Microsoft Excel Information Disclosure Vulnerability | No | No | 5.5 | Yes |
SQL Server Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-23276 | SQL Server for Linux Containers Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-23254 | Microsoft Power BI Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
Windows Vulnerabilities
| CVE | Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | Has FAQ? |
|---|
| CVE-2022-22002 | Windows User Account Profile Picture Denial of Service Vulnerability | No | No | 5.5 | No |
| CVE-2022-21993 | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21971 | Windows Runtime Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22001 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21992 | Windows Mobile Device Management Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21995 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.9 | Yes |
| CVE-2022-22712 | Windows Hyper-V Denial of Service Vulnerability | No | No | 5.6 | Yes |
| CVE-2022-21994 | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21984 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | No |
| CVE-2022-21996 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-22709 | VP9 Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21974 | Roaming Security Rights Management Services Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22715 | Named Pipe File System Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-21844 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21926 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-21927 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
