The December 2022 Security Update Review

Welcome to the final Patch Tuesday of 2021, and the first since Pwn2Own Toronto. As always, Adobe and Microsoft have released their latest security fixes just in time for the winter holidays. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for December 2022

As of 12:30 Central time, Adobe has not published their bulletins for December. This blog will be updated once this patches become available.

Microsoft Patches for December 2022

This month, Microsoft released 52 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. This is in addition to two CVEs fixed earlier this month, which brings the December release total to 54 fixes overall. A total of 12 of these CVEs were submitted through the ZDI program.

Of the 52 new patches released today, six are rated Critical, 43 are rated Important, and three are rated Moderate in severity. December is typically a light month for Microsoft patches, and this year is no exception. It’s also the smallest monthly release this year. Overall, 2022 was Microsoft’s second busiest ever with Microsoft fixing over 900 CVEs in total.

One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

-       CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability
This bug has been widely discussed on the bird site and is likely related to the Mark of the Web bug patched last month. In this case, a file could be created that evades the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on people opening attachments, these protections are vital in preventing malware and other attacks. It’s good to see Microsoft (finally) address these bugs.

-       CVE-2022-44713 – Microsoft Outlook for Mac Spoofing Vulnerability
We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice. This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.

-       CVE-2022-41076 – PowerShell Remote Code Execution Vulnerability
This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system. Threat actors often try to “live off the land” after an initial breach – meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.

-       CVE-2022-44699 – Azure Network Watcher Agent Security Feature Bypass Vulnerability
As someone who has done extensive incident response in the past, I know all too well the importance of good logs. That’s why this patch stood out to me. This bug would allow someone to terminate the packet capture from the Network Watcher agent. There might not be many enterprises relying on this tool, but for those using this VM extension, this fix should be treated as critical and deployed quickly.

 Here’s the full list of CVEs released by Microsoft for December 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-44698 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 5.4 No Yes SFB
CVE-2022-44710 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-41076 PowerShell Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-41089 .NET Framework Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-44699 Azure Network Watcher Agent Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2022-44708 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-41115 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2022-26804 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26805 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26806 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44692 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-47211 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-47212 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-47213 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44691 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44694 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44695 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44696 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24480 Outlook for Android Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44675 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44674 Windows Bluetooth Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-44673 Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-44666 Windows Contacts Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44669 Windows Error Reporting Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-41077 Windows Fax Compose Form Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-41121 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44671 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44680 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-41074 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-44679 Windows Graphics Component Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-44682 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2022-41094 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44707 Windows Kernel Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44667 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44668 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44677 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44689 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-44702 Windows Terminal Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-44684 Windows Local Session Manager (LSM) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-44688 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 4.3 No No Spoofing
CVE-2022-44697 Windows Graphics Component Elevation of Privilege Vulnerability Moderate 7.8 No No EoP

Looking at the remaining Critical-rated fixes, there are two patches for the older Secure Socket Tunneling Protocol (SSTP). Both could allow a remote, unauthenticated threat actor to get code execution on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, you should disable it. If you are using it, test and deploy these patches quickly. There are also two Critical-rated code execution bugs in SharePoint server, and we’ve seen SharePoint exploited in the wild with older, patched bugs. Definitely make sure you’re patching your SharePoint instances. The final Critical bug resides in Dynamics AV and could allow an authenticated attacker to execute code in the context of the server’s account through a network call.

Beyond these, there are 16 other remote code execution bugs getting fixes this December, including multiple Office bugs reported by ZDI research Mat Powell. Most of these are the open-a-file-get-owned sort, but a couple of these patches are worth a second look. The update for the .NET Framework seems to hit every supported version, but no additional information about the bug itself is available. Two different researchers are credited for it, which implies a bug collision from multiple sources. I always pay extra attention to bugs when multiple people have independently reported them. Finally, the update for Windows Terminal is found in the Windows Store, so it should be automatically applied. However, if you have disabled automatic Store updates or are in a disconnected environment, you’ll need to apply the patch by hand.

There are 18 patches addressing Elevation of Privilege (EoP) bugs in this month’s release. For the most part, these bugs require an authenticated user to execute specially crafted code on an affected system to escalate privileges. However, there are a few that deserve extra scrutiny. The first two are yet more fixes for the Print Spooler service. The long tail of PrintNightmare grows even longer. The bug in the DirectX Graphics Kernel is the one bug listed as public for December. I already mentioned incident response and living off the land. The bug in Sysinternals Sysmon combines both as many responders rely on Sysinternals services. Exploiting these for privilege escalation would certainly be something. The final EoP of note is a bug in Hyper-V that would allow an attacker to execute code with SYSTEM privileges.

The December release includes three information disclosure bugs. This month, they all simply result in info leaks consisting of unspecified memory contents.

There are only three Denial-of-Service (DOS) bugs receiving patches this month. The first is in Hyper-V and could allow a guest OS to “affect the functionality of the Hyper-V host.” Microsoft doesn’t make it clear if the Hyper-V host would completely shut down or if only certain services are affected. Either way, it’s not good when on guest OS can negatively impact the host OS. The other DoS bugs are in the Windows Kernel and Local Session Manager (LSM), but Microsoft provides no further information on those.

Besides the one fix for Outlook for Mac, there’s one other spoofing bug in Microsoft Edge (Chromium-based) receiving a patch this month. This bug allows an attacker to change the content of the autofill box that overlaps an error message on a specially crafted website. While interesting, I’m not sure how this would really be used in an actual attack. Still, never underestimate the ingenuity of determined threat actors.

Finally, there is one new advisory (ADV220005) this month providing additional guidance on third-party drivers that appear to be certified by the Microsoft Windows Hardware Developer Program. According to Microsoft, drivers that appear to have been certified by this program have been seen in the wild in post-exploitation activity. There are no servicing stack updates this month.

Looking Ahead

The first Patch Tuesday of 2023 will be on January 10, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, Merry Christmahanakwanzika, happy patching, and may all your reboots be smooth and clean!

Article Link: Zero Day Initiative — The December 2022 Security Update Review