Patch Tuesday December 2022 – Microsoft Fixes Spoofing and Elevation of Privilege Vulnerabilities
The Last Patch Tuesday of the Year Brings Some Notable Fixes Including Two Zero-Day Vulnerabilities.
The end of the year is here, and with it, Microsoft is trying to wrap up some loose ends with their Edge browser for the final Patch Tuesday of 2022. In total, 73 updates have been deployed to fix vulnerabilities, including two zero-day vulnerabilities identified.
Patch Tuesday December – Highlights
The latest Microsoft Edge Stable Channel (Version 108.0.1462.42) brings some notable fixes. One of them is a patch with important severity for CVE-2022-44708. The patch addresses an Elevation of Privilege vulnerability, which if left unpatched can lead to a browser sandbox escape. To successfully exploit this vulnerability, an attacker would have to take additional actions to prepare the target environment. According to CVSS, the attacker must compromise user interaction (UI: R); the user would have to click on a specifically crafted URL.
A Spoofing vulnerability for the CVE-2022-44688 has also been fixed by Microsoft. With a moderate level of importance, this vulnerability also requires user interaction to be exploited. In a web-based attack scenario, the attacker could host a website or leverage a compromised website that contains a file designed to exploit the vulnerability. An attacker, however, would be powerless to compel the user to visit the website. Instead, it would need to persuade the user to click a link, frequently through an allurement in an email or a message on an instant messaging service, and then persuade the victim to open the specially constructed file.
Another notable vulnerability fix comes for the iOS version of Edge. Based on the CVSS metric, this fix lands in the important category, and successful exploitation could lead to a browser sandbox escape. However, the complexity of the attack is high, and to successfully exploit the vulnerability, attackers would have to take additional measures to prepare the target environment. To be compromised, users would have to access a specifically crafted URL.
Finally, two zero-day vulnerabilities have been fixed by Microsoft in this update. The first one is CVE-2022-44710, an important update that fixes an Elevation of Privilege vulnerability for DirectX Graphics. According to CVSS, the complexity of the attack is high. An attacker who successfully exploited this vulnerability could gain system privileges.
The second zero-day vulnerability is a Security Feature Bypass vulnerability for Windows SmartScreen (CVE-2022-44698). An attacker can craft a malicious file to evade the Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Attackers can exploit this vulnerability in the following ways:
- In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass.
- In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass.
- Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.
Parting Words & Some Advice
Those were the more notable vulnerability fixes coming from Microsoft in the last release of the year. You can find the full list of updates by accessing this link. And thus, our final edition of Patch Tuesday of the year concludes here. Hopefully you’ve enjoyed it. Throughout 2022, some major vulnerabilities were addressed, but that does not mean that they can appear again, stronger, based on the rate of sophistication in the methods of threat actors.
Patching is an important process, a cornerstone for the security of any business and individual. But it can also prove to be quite a difficult process unless you are equipped with the right solutions. Many small organizations tend to rely on manual patching, but due to the human error rate, the process may be sloppy and some vulnerabilities may be left unmitigated and can lead to a failure of the organization’s infrastructure.
Opting for an automatic patching solution can definitely make your life easier. Furthermore, if set up properly, an automatic patching solution can guarantee timely (and accurate) deployment with little chance of incompatibility. No matter if your patches are OS-specific, third-party, proprietary, or UX/UI-focused, Heimdal®’s Patch & Asset Management can help you distribute them rapidly.
See you on the second Tuesday of January with the first edition of Patch Tuesday 2023!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.