Microsoft's February Patch Tuesday update hits 48 vulnerabilities
This month's set of updates is the smallest since August 2021, with no 'critical' vulnerabilities - but admins should still act on them as soon as possible
Microsoft February 2021 Patch Tuesday update addresses a total of 48 security vulnerabilities (not including Microsoft Edge vulnerabilities) - the smallest number of security fixes since August 2021.
Products impacted include Windows, Windows Codecs Library, Office, Teams, Azure Data Explorer, Windows Hyper-V Server, Visual Studio Code, Dynamics GP, Edge (Chromium-based), SQL Server, and other components such as Win32k and Kernel.
Forty-seven of the bugs are rated 'Important' in severity, while one is 'Moderate'. Sixteen are elevation of privilege (EoP) vulnerabilities, 16 are remote code execution (RCE) bugs, five information disclosure bugs, five denial of service (DoS) bugs, three security feature bypass vulnerabilities and three spoofing vulnerabilities.
This month's security update also addresses one publicly disclosed zero-day that has not been found to be actively exploited in attacks. Indexed as CVE-2022-21989, the issue concerns an EoP bug in Windows Kernel, which could enable an attacker to get elevated privileges and allow them to run code or access resources with a greater level of integrity.
The vulnerability has not been assigned a critical rating, as Microsoft said triggering the exploit would require an attacker to take 'additional actions prior to exploitation to prepare the target environment'.
While none of the security holes fixed in February Update are rated critical, security experts are advising admins to give them due respect.
Windows DNS Server RCE bug, tracked as CVE-2022-21984 and with a CVSSv3.1 score of 8.8/10, is one such flaw.
"The Microsoft DNS server has a Remote Code Execution (RCE) flaw that has been fixed with this patch. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might entirely take control of your DNS and execute code with elevated privileges if you have this set up in your environment," said Debra Fezza Reed, solutions architect at Qualys.
Similarly, the Windows Hyper-V RCE bug CVE-2022-21995 could enable an attacker to carry out a successful attack from a low privilege Hyper-V guest.
Another notable vulnerability is CVE-2022-22005, with a CVSSv3.1 score of 8.8/10.
"This Remote Code Execution (RCE) vulnerability affects Microsoft SharePoint Server. An attacker must be authenticated and have page creation access on SharePoint to exploit the flaw," Reed said.
Also addressed in the February security update are a number of RCE bugs (CVE-2022-21844, CVE-2022-21926, and CVE-2022-21927) affecting HEVC video extensions.
The security update has also resolved an Azure Data Explorer spoofing bug (CVE-2022-23256); two denial-of-service bugs impacting Teams (CVE-2022-21965) and .NET (CVE-2022-21986); and two security bypass flaws in OneDrive for Android (CVE-2022-23255) and Outlook for Mac (CVE-2022-23280).
Last month, Microsoft resolved 97 security bugs in the first batch of security fixes for 2022. Six were already in the public domain, potentially giving threat actors a head start in figuring out how to exploit these zero-days in vulnerable systems.
EoP vulnerabilities accounted for 40 per cent of the bugs patched last month, followed by RCE bugs at 30 per cent.