It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for March 2022
The Adobe release for March is quite small. This month, Adobe released only three patches addressing six CVEs in Adobe Photoshop, Illustrator, and After Effects. The patch for
After Effects is the largest of the three. It fixes four Critical-rated, stacked-based buffer overflows that could result in arbitrary code execution. The fix for
Illustrator is also rated Critical. It addresses a single buffer overflow that could lead to arbitrary code execution. Finally, the update for
Photoshop fixes a single Important-rated memory leak.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.
Microsoft Patches for March 2022
For March, Microsoft released 71 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.
Of the 71 CVEs released today, three are rated Critical and 68 are rated Important in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this is volume is in line with previous March releases. However, the number of Critical-rated patches is again strangely low for this number of bugs. It’s unclear if this low percentage of bugs is just a coincidence or if Microsoft might be evaluating the severity using different calculus than in the past.
None of the bugs are listed as under active exploit this month, while three are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs listed as publicly known:
-
CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
This client-side bug doesn’t have the same punch as server-side related RDP vulnerabilities, but since it’s listed as publicly known, it makes sense to go ahead and treat this as a Critical-rated bug. If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client. Again, this isn’t as severe as
BlueKeep or some of the other RDP server bugs, but it definitely shouldn’t be overlooked.
-
CVE-2022-23277 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Critical-rated bug in Exchange Server was reported by long-time ZDI contributor Markus Wulftange. The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. This is also listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon - despite the authentication requirement. Test and deploy this to your Exchange servers quickly.
-
CVE-2022-24508 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on Windows 10 version 2004 and newer systems. It’s also reminiscent of
CVE-2020-0796 from a couple of years ago. Both also list disabling SMBv3 compression as a workaround for SMB servers, but this doesn’t help clients. In 2020, Microsoft noted SMBv3 compression “is not yet used by Windows or Windows Server and disabling SMB Compression has no negative performance impact.” That’s not in the current advisory, so it’s unclear what disabling this feature will have now. Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network. This is another one I would treat as Critical and mitigate quickly.
-
CVE-2022-21967 – Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
This appears to be the first security patch impacting Xbox specifically. There was an
advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself. Microsoft even notes other Windows OSes are not affected by this bug. It’s not clear how an attacker could escalate privileges using this vulnerability, but the Auth Manager component is listed as affected. This service handles interacting with the Xbox Live service. I doubt many enterprises are reliant on Xbox or Xbox Live, but if you are, make sure this patch doesn’t go unnoticed.
