Microsoft’s December Patch Tuesday was relatively low for the year 2022, with 52 fixes addressing six serious flaws and two zero-days of lesser severity.
Security researchers have identified two critical zero-day vulnerabilities: CVE-2022-44698, a security feature bypass vulnerability in Windows SmartScreen, with a CVSS score of 5.4 and a moderate severity rating; and CVE-2022-44710, an elevation of privilege (EoP) vulnerability in the DirectX Graphics Kernel, with a CVSS score of 7.8 and an important severity rating.
While the DirectX Graphics Kernel vulnerability has been officially published, the Windows SmartScreen vulnerability has been exploited in the wild without anyone knowing about it.
Senior staff research engineer at Tenable Satnam Narang weighed in on the significance of the two zero-days, saying, “Windows SmartScreen [is] a capability built-in to Windows that combines with its Mark of the Web (MOTW) functionality that flags items downloaded from the internet. The reputation check that SmartScreen runs on a file depends on how MOTW has marked it.
Microsoft's Windows Patch Tuesday 8/14/2018 resolves a total of 60 vulnerabilities, many of them critical, in addition to two zero-day security flaws which are being actively used in attacks today…..https://t.co/PHnGs3da53
— John Benjamin (@bcsmillsriver) August 15, 2018
This flaw can be exploited in a variety of ways, such as via visiting malicious sites or opening malicious attachments sent via email or instant messaging. To avoid detection by SmartScreen, they rely on the user visiting the infected website or opening the malicious attachment.
Microsoft has acknowledged that this flaw has been actively exploited by malicious actors. Will Dormann, a security researcher, is credited with exposing the vulnerability that he discovered; CVE-2022-41049 is a bypass of a security mechanism in MOTW that was patched in the November Patch Tuesday release.
Public disclosure of the second zero-day in the December Patch Tuesday release… before the availability of a patch. He also noted that the Microsoft Exploitability Index rated this vulnerability as having a low risk of being exploited.
If abused, each of the six critical vulnerabilities can allow remote code execution (RCE) on the affected machine. Here are some of them:
- CVE-2022-41076, in PowerShell.
- CVE-2022-41127, in Microsoft Dynamics NAV and Dynamics 365 Business Central (On-Prem).
- CVE-2022-44670, in the Windows Secure Socket Tunnelling Protocol (SSTP).
- CVE-2022-44676, also in the Windows SSTP.
- CVE-2022-44690, in Microsoft SharePoint Server.
- CVE-2022-44693, also in Microsoft SharePoint Server.
Kev Breen, director of cyber threat research at Immersive Labs, commented on several of the most significant serious vulnerabilities, saying that the PowerShell vulnerability seemed particularly troubling.
The vulnerability is classified as remote code execution and Microsoft notes that an attacker must take additional steps to prepare the target environment before exploiting it. “While Microsoft doesn’t give much detail about this issue outside of ‘exploitation more likely,'” stated Breen.
It’s unclear what steps must be taken, however, we do know that exploiting the vulnerability calls for the privileges of a logged-in user. It’s possible that the vulnerability would be used in initial infections via assaults like MalDocs or LNK files due to this combination,” he said.
Employees at all levels of an organization are regular targets of social engineering attacks. However, users are both the first line of defense and the weakest link in cyber security. Workforces need to be better equipped with knowledge and skills to prevent these kinds of attacks.
Breen also brought attention to the two SharePoint Server vulnerabilities, adding that fixing such vulnerabilities is crucial for every business that relies on SharePoint.
If your company uses SharePoint for things like internal wikis or document storage, you may be at risk due to this flaw. He warned that attackers might use the vulnerability to “take confidential information to employ in ransomware attacks,” substitute legitimate documents with ones containing malicious code or utilize macros to spread malware.
As expected, Microsoft addressed an EoP vulnerability in the Windows Print Spooler in December’s 2022 Patch Tuesday release (CVE-2022-44678), which could be exploited to grant an attacker local system privileges.
After PrintNightmare was discovered publicly over a year ago, “Windows Print Manager has been a target for attackers,” said Mike Walters, vice president of vulnerability and threat research at Action1.
Nearly every month since then, we’ve found another vulnerability of this type. In a similar vein, after CVE-2022-44678, we can expect to see a continuation of this deluge of patches.
Since the Windows Print Manager appears to have many faults, IT departments should take the threat posed by Print Spooler very seriously. So, even if it is fully patched, it should be turned off if it is not in use. He warned that attackers would continue to “dig this rabbit hole” for a long time.