QUALYS, INC. Microsoft has fixed 92 vulnerabilities, including 21 Microsoft Edge vulnerabilities, in the March 2022 update, with three (3) classified as Critical as they allow Remote Code Execution (RCE). This month's Patch Tuesday release includes fixes for three (3) publicly disclosed zero-day vulnerabilities as well. As of this writing, none of this month's list of vulnerabilities is known to be actively exploited in the wild.
Microsoft has fixed several problems in their software including Denial of Service, Edge - Chromium, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, and Spoofing vulnerabilities.
Notable Microsoft Vulnerabilities PatchedThis month's advisory covers multiple Microsoft products, including, but not limited to, .NET and Visual Studio, Azure Site Recovery, Defender, Edge (Chromium-based), Exchange Server, HEIF Image Extension, HEVC Video Extension, Intune, Microsoft 365 Apps, Office, Paint 3D, Remote Desktop, SMB Server and Windows OS.
CVE-2022-21990 and CVE-2022-23285 - Remote Desktop Client Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-23277 - Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution (RCE). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.
Exploitability Assessment: Exploitation More Likely.
CVE-2022-24469 - Azure Site Recovery Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 score of 8.1/10. An attacker can call Azure Site Recovery APIs provided by the Configuration Server and in turn, get access to configuration data including credentials for the protected systems. Using the APIs, the attacker can also modify/delete configuration data which in turn will impact Site Recovery operation.
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-24508 - Windows SMBv3 Client/Server Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10. In addition to releasing an update for this vulnerability, Microsoft has also provided a workaround that may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place: This vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected.
Exploitability Assessment:Exploitation More Likely.
Notable Adobe Vulnerabilities PatchedAdobe released updates to fix six (6) CVEs affecting AfterEffects, Illustrator, and Photoshop. Of these six (6) vulnerabilities, five (5) are treated as Critical.
APSB22-14: Security update available for Adobe Photoshop
This update resolves an Important vulnerability. Successful exploitation could lead to memory leak in the context of the current user.
APSB22-15 : Security update available for Adobe Illustrator.
This update resolves a Critical vulnerability that could lead to arbitrary code execution.
APSB22-17 : Security update available for Adobe After Effects
This update addressesCritical security vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Monthly Webinar Series: This Month in Vulnerabilities & PatchesThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Patch Management (PM). Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month's high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Patch Management.
Join the webinar: This Month in Vulnerabilities & Patches
Qualys Patch Tuesday QIDs are published as Security Alerts, typically, late in the evening on the day of Patch Tuesday, followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard.
ContributorBharat Jogi, Director, Vulnerability and Threat Research, Qualys
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Qualys Inc. published this content on 08 March 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 08 March 2022 22:40:22 UTC.
