Microsoft manages a mere 51 security fixes for February update bundle
Excitement this month can be found in SAP code, with critical Log4j repairs and a CISA warning
Patch Tuesday Microsoft for its February Patch Tuesday gave Windows admins just 51 fixes to apply, the smallest number of patches since the meager ration of 44 in August 2021.
February tends to be a slow month for repairs because bugs left untended over the winter holidays often get dealt with in January, leaving not all that much for the following month.
Perhaps more noteworthy is that there's not a single critical CVE listed in the February patch list. Fifty of the fixes are rated Important while one is rated Moderate in terms of severity. And there's no indication that any of these are under active exploitation. In other words, you can probably finish that game of Minesweeper before deploying these patches.
Only one, a Windows kernel elevation of privilege vulnerability (CVE-2022-21989) has been publicly disclosed, at least to Microsoft's knowledge. Microsoft's patches address issues affecting: Windows, Windows Codecs Library, and Windows Hyper-V Server, along with Azure Data Explorer, Dynamics, Dynamics GP, Edge (Chromium-based) Kestrel Web Server, Office, SQL Server, Teams, and Visual Studio Code.
Though none of the CVEs identified are designated critical, Dustin Childs of the Zero Day Initiative, suggests treating a few of them as if they were. He points to the Windows DNS Server remote code execution vulnerability (CVE-2022-21984) as one such flaw.
"If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges," Childs explains in a blog post. "Since dynamic updates aren’t enabled by default, this doesn’t get a critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical."
Likewise, the Windows Hyper-V remote code execution vulnerability (CVE-2022-21995) addresses a guest-to-host escape in Hyper-V server. Companies that rely on Hyper-V servers, Childs suggests, should treat this as a critical bug.
- Microsoft patches the patch that broke VPNs, Hyper-V, and left servers in boot loops
- Running Windows 10? Microsoft is preparing to fire up the update engines
- Admins report Hyper-V and domain controller issues after first Patch Tuesday of 2022
- JumpCloud joins the patch management crowd, starting with Windows and Mac updates
Kevin Breen, director of cyber threat research at Immersive Labs, said in an email that several of the vulnerabilities have been flagged as "Exploitation More Likely," which means they should be prioritized for patching.
"They are all listed as elevation of privilege, which forms a key part of the attack chain," said Breen. "Once initial access has been gained, attackers will quickly seek to gain administrator-level access so they can move across the network, compromise other devices and avoid detection by disabling security tooling."
He also points to the Microsoft SharePoint Server remote code execution vulnerability (CVE-2022-22005) and the Win32k elevation of privilege Vulnerability (CVE-2022-21996) as now-rather-than-later repairs.
Earlier this month, there were 19 fixes applied to the open source Chromium project, the foundation of Microsoft's Edge browser, among others. Eight of the vulnerabilities were high severity. Hopefully that's the last you'll ever hear of them.
As is now traditional, Adobe published a passel of patches, described in five security bulletins that cover a total of 17 vulnerabilities in Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush.
Illustrator leads the pack with 13 CVEs, two of which are critical while the rest are rated important. Creative Cloud Desktop, Photoshop, and After Effects each contain a single critical CVE, each allowing arbitrary code execution. Premiere Rush has just a moderate privilege escalation flaw.
SAP bestowed us with 13 new security notes and five updates to previous Notes [PDF]. Seven of these are chart-toppers that manage to score severity ratings of 10 out of 10. That translates to either as critical or "Hot News" if you're SAP. Five of these have to do with Log4j fixes, two of which are new and three of which update December 2021 patches.
According to security firm Onapsis, three of the vulnerabilities – CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533 – affect SAP's Internet Communication Manager (ICM), a core component of SAP's software. SAP describes the three as critical memory corruption bugs.
US-CISA on Tuesday published an alert warning that these critical vulnerabilities expose organizations to data theft, fraud, business disruption, and ransomware. ®