The Microsoft December 2022 Security Updates includes patches and advisories for 53 vulnerabilities, including seven Critical severity issues and one exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:
- .NET Framework
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows Codecs Library
- Role: Windows Hyper-V
- Windows Certificates
- Windows Contacts
- Windows DirectX
- Windows Error Reporting
- Windows Fax Compose Form
- Windows HTTP Print Provider
- Windows Kernel
- Windows PowerShell
- Windows Print Spooler Components
- Windows Projected File System
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SmartScreen
- Windows Subsystem for Linux
- Windows Terminal.
Exploit in the wild
Microsoft patched one vulnerability exploited in the wild — a Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698).
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft warned in the advisory.
As a result, hackers could host a malicious website in web-based attacks or send phishing emails with embedded URL files, each designed to exploit the security feature bypass.
This flaw is rated Moderate and has CVSS score of 5.4.
Microsoft also fixed seven Critical vulnerabilities that could result in remote code execution (RCE):
- CVE-2022-41076: PowerShell Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-41089: .NET Framework Remote Code Execution Vulnerability (CVSS 7.5)
- CVE-2022-41127: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability (CVSS 8.5)
- CVE-2022-44670: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-44676: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-44690: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2022-44693: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 8.8).
The tech giant confirmed only the PowerShell RCE flaw CVE-2022-41076 was more likely to be exploited.
Moreover, Microsoft addressed nearly 40 other vulnerabilities rated Important or Moderate in multiple products. Those issues include Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Security Feature Bypass issues.
On December 16, Microsoft also released updates for 5 other Chromium vulnerabilities: CVE-2022-4440, CVE-2022-4439, CVE-2022-4438, CVE-2022-4437, and CVE-2022-4436