The most critical updates for this “Patch Tuesday” come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February 2022 Patch Tuesday release, none of them are ranked as critical. Firefox and Adobe however have fixed a few issues that could be qualified as critical.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the ones that jumped out at us.
Mozilla fixed a dozen security vulnerabilities in its Firefox browser. The two most important ones are both permissions issues:
- CVE-2022-22753 A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access. This bug only affects Firefox on Windows. Other operating systems are unaffected.
- CVE-2022-22754 If a user installs an extension of a particular type, the extension could have auto-updated itself and, while doing so, bypass the prompt which grants the new version the new requested permissions.
Two other vulnerabilities were classified as high. Those two are both memory safety bugs that with enough effort could have been exploited to run arbitrary code. These vulnerabilities were found by Mozilla developers.
Adobe released updates to fix 17 CVEs affecting Premiere Rush, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Of these 17 vulnerabilities, five are rated as critical.
- CVE-2022-23203 A buffer overflow vulnerability that could lead to arbitrary code execution in Photoshop 2021 and Photoshop 2022 for Windows and macOS.
- CVE-2022-23186 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
- CVE-2022-23188 A buffer overflow vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
- CVE-2022-23200 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Adobe After Effects 18.4.3, 22.1.1 and earlier versions for Windows and macOS.
- CVE-2022-23202 Uncontrolled search path element vulnerability that could lead to arbitrary code execution in the Creative Cloud Desktop Application installer 22.214.171.124 and earlier versions on Windows.
Even though no Microsoft vulnerabilities were listed as critical, there are a few that deserve some attention.
- CVE-2022-21989 a Windows Kernel elevation-of-privilege vulnerability. According to the Microsoft advisory, successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. But in such a case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
- CVE-2022-21996 a Win32k elevation of privilege vulnerability listed as more likely to be exploited. The exploitation is known to be easy. The attack may be initiated remotely, but requires simple authentication for exploitation.
- CVE-2022-22005 a Microsoft SharePoint Server Remote Code Execution vulnerability. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. This permission however is often present for an authenticated user.
- CVE-2022-21984 a Windows DNS Server Remote Code Execution vulnerability. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might take control of your DNS and execute code with elevated privileges if you have this set up in your environment.
Given the amount of available stolen login credentials, organizations shouldn’t disregard the vulnerabilities that require authentication, especially where it concerns public-facing servers. We hope this quick summary makes it easier for you to prioritize your updating jobs.
Stay safe, everyone!