Welcome to the final Patch Tuesday of 2021, and the first since Pwn2Own Toronto. As always, Adobe and Microsoft have released their latest security fixes just in time for the winter holidays. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for December 2022
For December, Adobe released three patches fixing 37 CVEs in Illustrator, Experience Manager, and Adobe Campaign Classic. One of these bugs was reported through the ZDI program. All of the patches are rated Important in severity. The largest is the update for
Experience Manager, which covers 32 bugs. The most severe of these could allow code execution through cross-site scripting (XSS). The fix for
Illustrator addresses four memory leaks. The final patch for
Campaign corrects a single privilege escalation bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for December 2022
This month, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. This is in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall. A total of 12 of these CVEs were submitted through the ZDI program.
Of the 52 new patches released today, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity. December is typically a light month for Microsoft patches, and this year is no exception. It’s also the smallest monthly release this year. Overall, 2022 was Microsoft’s second busiest ever with Microsoft fixing over 900 CVEs in total.
One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
-
CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
This bug has been widely discussed on the
bird site and is likely related to the Mark of the Web bug
patched last month. In this case, a file could be created that evades the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks. It’s good to see Microsoft (finally) address these bugs.
-
CVE-2022-44713 – Microsoft Outlook for Mac Spoofing Vulnerability
We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice. This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.
-
CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system. Threat actors often try to “live off the land” after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.
-
CVE-2022-44699 – Azure Network Watcher Agent Security Feature Bypass Vulnerability
As someone who has done extensive incident response in the past, I know all too well the importance of good logs. That’s why this patch stood out to me. This bug would allow someone to terminate the packet capture from the Network Watcher agent. There might not be many enterprises relying on this tool, but for those using this VM extension, this fix should be treated as critical and deployed quickly.