The updates for Microsoft’s March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities.

Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote code execution (RCE).

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

The first three are publicly disclosed vulnerabilities, which makes them zero-day vulnerabilities, but so far none of them has been seen to be exploited in the wild.

Remote Desktop Client

CVE-2022-21990: A Remote Desktop Client remote code execution vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. This vulnerability might be hard to exploit since it requires an attacker to control a malicious server and that the user must willingly connect to it. There is Proof-of-Concept (PoC) code available for this vulnerability.

Windows Fax and Scan service

CVE-2022-24459: Windows Fax and Scan service elevation of privilege vulnerability is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. An LPE vulnerability means that an attacker should already have some level of access and can take their privileges to a higher level by exploiting this vulnerability. Such vulnerabilities can be useful in an attack chain. There is Proof-of-Concept (PoC) code available for this vulnerability.

.NET and Visual Studio

CVE-2022-24512: A .NET and Visual Studio Remote Code Execution vulnerability. The ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. This is because successful exploitation of this vulnerability would require a user to trigger the payload in the application.

Next up are the vulnerabilities that were rated as critical.

Exchange Server

CVE-2022-23277: A Microsoft Exchange Server remote code execution vulnerability. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. So the attacker needs some form of authentication to exploit this vulnerability. Which makes it all the more important to change or remove compromised accounts. Stolen or leaked credentials can be used to wreak havoc.

HEVC video extensions

CVE-2022-24508: A HEVC Video Extensions arbitrary code execution vulnerability. The High Efficiency Video Coding (HEVC) extensions allow a buyer to playback files in HEVC format. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately.

VP9 video extensions

CVE-2022-24501: A VP9 video extensions arbitrary code execution vulnerability. Very much the same as the above. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. VP9 is the successor to VP8 and competes with HEVC.

Finally, one vulnerability that is listed as Important and not as Critical, but which looks like a likely candidate to be exploited.

SMBv3 client/server

CVE-2022-24508: A Windows SMBv3 client/server remote code execution vulnerability. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected. The attacker needs to be authenticated to exploit the vulnerability. The Microsoft page provides a workaround that requires administrators to disable SMBv3 compression.

Other vendors

Other vendors have published security related updates as well:

  • Cisco released security updates
  • Google released Android security updates
  • Samsung released a Security Maintenance Release package that includes patches from Google and Samsung.
  • HP released a security update to deal with 16 disclosed UEFI firmware vulnerabilities.

Stay safe, everyone!