Microsoft's last Patch Tuesday of 2022 addresses two zero-days
The year's smallest monthly security update fixed 49 flaws in total
Microsoft has released its December 2022 Patch Tuesday update, fixing multiple security holes in its products.
Two of the 49 security vulnerabilities patched this month are zero-days, one being actively exploited in attacks.
The second was publicly disclosed, but not actively used.
Six security holes Microsoft has plugged are classified as 'Critical' severity, as they enable attackers to achieve remote code execution (RCE), privilege elevation (EoP) or spoofing.
In all, the December security update includes patches for 23 RCE vulnerabilities, 19 EoP bugs, three information disclosure bugs, three denial of service bugs, two security feature bypass vulnerabilities and one spoofing bug.
Microsoft also fixed 25 security holes in its Chromium-based Edge browser earlier this month.
Microsoft typically releases few fixes in December, and this year is no exception; the December update is this year's smallest monthly release.
About those security holes...
The vulnerability that was reported as being exploited in the wild is CVE-2022-44698, a security feature bypass issue for Windows SmartScreen with a CVSS score of 5.4. It is likely related to the Mark of the Web flaw patched last month.
The MOTW feature in Windows identifies files and documents that originate from untrusted sources.
CVE-2022-44698 makes it possible to create a file that avoids MOTW detection, and so gets around security protections like Protected View in Microsoft Office.
'An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,' Microsoft said.
Threat actors exploited this vulnerability in various malware distribution campaigns by producing malicious standalone JavaScript files signed with a forged signature, including campaigns spreading the QBot trojan and Magniber ransomware.
Microsoft credited security researcher Will Dormann for reporting this flaw.
The second zero-day vulnerability is CVE-2022-44710, a privilege escalation weakness in the DirectX graphics kernel. It is marked as publicly known although not actively exploited. Microsoft listed this bug as 'exploitation less likely.'
The vulnerability has a CVSS score of 7.8, with high attack complexity. An attacker must win a race condition to exploit the bug, although doing so could give them system privileges.
In addition to fixing two zero-day vulnerabilities, the December Patch Tuesday addressed other notable issues.
CVE-2022-44690 and CVE-2022-44693, a pair of SharePoint server RCEs, have been rated as 'Critical' in severity. Both have CVSS ratings of 8.8: a lower value than normal for an RCE attack, as Microsoft believes they are 'less likely' to be exploited.
Researchers also found another RCE vulnerability, CVE-2022-41076, with a CVSS score of 8.5, in PowerShell. This bug is 'more likely' to be exploited and any authorised user account could do it.
"This Critical-rated bug could allow an authenticated user to escape the PowerShell Remoting Session Configuration and run unapproved commands on an affected system," said Dustin Childs of Zero Day Initiative.
"Threat actors often try to 'live off the land' after an initial breach - meaning they use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don't ignore this patch."
Of other critical bugs, CVE-2022-41127 affects Microsoft Dynamics, while CVE-2022-44670 and CVE-2022-44676 affect Windows Secure Socket Tunneling Protocol.