Microsoft’s Patch Tuesday update for the month of March has been made officially available with 71 fixes spanning across its software products such as Windows, Office, Exchange, and Defender, among others.
Of the total 71 patches, three are rated Critical and 68 are rated Important in severity. While none of the vulnerabilities are listed as actively exploited, three of them are publicly known at the time of release.
It’s worth pointing out that Microsoft separately addressed 21 flaws in the Chromium-based Microsoft Edge browser earlier this month.
All the three critical vulnerabilities remediated this month are remote code execution flaws impacting HEVC Video Extensions (CVE-2022-22006), Microsoft Exchange Server (CVE-2022-23277), and VP9 Video Extensions (CVE-2022-24501).
The Microsoft Exchange Server vulnerability, which was reported by researcher Markus Wulftange, is also noteworthy for the fact that it requires the attacker to be authenticated to be able to exploit the server.
“The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution,” the Windows maker said. “As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.”
“Critical vulnerability CVE-2022-23277 should also be a concern,” Kevin Breen, director of cyber threat research at Immersive Labs, said. “While requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email.”
The three zero-day bugs fixed by Microsoft are as follows –
- CVE-2022-24512 (CVSS score: 6.3) – .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2022-21990 (CVSS score: 8.8) – Remote Desktop Client Remote Code Execution Vulnerability
- CVE-2022-24459 (CVSS score: 7.8) – Windows Fax and Scan Service Elevation of Privilege Vulnerability
Microsoft also labeled CVE-2022-21990 as “Exploitation More Likely” because of the public availability of a proof-of-concept (PoC) exploit, making it crucial that the updates are applied as soon as possible to avoid potential attacks.
Other defects of significance are a number of remote code execution flaws in Windows SMBv3 Client/Server, Microsoft Office, and Paint 3D, as well as privilege escalation flaws in Xbox Live Auth Manager, Microsoft Defender for IoT, and Azure Site Recovery.
In all, the patches close out 29 remote code execution vulnerabilities, 25 elevation of privilege vulnerabilities, six information disclosure vulnerabilities, four denial-of-service vulnerabilities, three security feature bypass vulnerabilities, three spoofing vulnerabilities, and one tampering vulnerability.