While February 2022 brought us (technically) no critical patches and a low overall number of exploits in general, it looks like March won’t be quite as nice but still far better than what has become the new normal on Patch Tuesday. Overall, we are looking at 73 total exploits being closed, with three listed as critical and three as already known. None of the exploits are being actively exploited at this time. The highest-rated critical vulnerability targets Exchange, which seems to be right on brand.
Some highlights (or lowlights)
CVE-2022-23277: This is the highest-rated critical exploit. While it is a remote code execution that does not require user interaction, it does still require the attacker to authenticate. An authenticated user could trigger malicious code in the context of the server’s account.
CVE-2022-24501: This is a remote code executable that targets VP9 video extensions. I am not fully sure why this one is listed as critical as the attack vector is local and requires user interaction. However, this exploit is worth mentioning because if you do use these types of extensions, you can easily check which systems are vulnerable with PowerShell with the following commands.
Get-AppxPackage -Name Microsoft.VP9VideoExtensions
Anything over version 1.0.42791.0 is already protected.
CVE-2022-22006: This is the last critical exploit for the month, and it is just like the previous video extension, this time attacking the HEVC video extension. Change the PowerShell to this:
Get-AppxPackage -Name Microsoft.HEVCVideoExtension*
And make sure you are over version 1.0.50362.0. Now, you can feel all warm and fuzzy with how protected you are.
CVE-2022-21990: The last two exploits were so similar I figured I would throw in a bonus fourth one that is publicly disclosed. This one is a Remote Desktop Client RCE exploit that does not require privileges to run. At first glance, it feels like this one should be the highest rated and listed as critical. However, the exploit kicks off when a user RDPs into a compromised server, so getting this one to work requires either a user to be remoting into an unknown entity or to have already taken over some internal server. Both of these scenarios are bad, and it means you’ve already had a more serious breach before this exploit ever becomes a threat.
Wrapping up
Another mild month is fantastic news. We know that no critical exploits is not really sustainable, but a move to three does not feel like it is all that bad. If you are not using Exchange or a few random video extensions, then essentially, you DO have back-to-back months with no critical exploits!
No impending doom does not mean that we can be lax in keeping our environment up to date and secure. There is no better way to make sure we are doing that than automation. Patching is a task that comes around at least once a month. PDQ Deploy and PDQ Inventory can help you keep your systems up to date with a “set it and forget it” approach.