icetray - Fotolia

After rough January, IT gets a mild February Patch Tuesday

With one public disclosure and not a critical vulnerability in sight, administrators will have time to recover from the roller coaster of patch problems from last month.

Administrators got a break from the typical number of Patch Tuesday fixes this month, but many are likely still smarting from the fallout of multiple bad releases from January Patch Tuesday.

Microsoft corrected 51 total vulnerabilities for February Patch Tuesday, which includes 48 new patches and three older patches that were reissued this month. It's relatively low considering the average number of vulnerabilities over the last six months is 67. There were no critical vulnerabilities -- all bugs were rated important -- and one is publicly disclosed.

Most administrators are probably welcoming the lighter workload after having to deal with major problems stemming from January Patch Tuesday's fixes. On Jan. 17, Microsoft released out-of-band updates to rectify problems from the Jan. 11 Patch Tuesday releases. The troubles included the following:

  • VMs not starting on Hyper-V on systems with Unified Extensible Firmware Interface firmware;
  • unexpected restarts on domain controllers;
  • VPN connectivity troubles; and
  • unavailable Resilient File System volumes on removable media.

The company issued a notification for the out-of-band updates at its message center indicating their availability on the Microsoft Update catalog, with some others accessible from Windows Update as optional downloads.

Publicly disclosed vulnerability has proof-of-concept code

CVE-2022-21989 is a publicly disclosed Windows kernel elevation-of-privilege vulnerability affecting Windows desktop and server systems. Microsoft designated the attack complexity as high, meaning an attacker would need to perform multiple steps to set up the target environment for a successful exploit.

The presence of proof-of-concept code heightens the urgency to deploy the update to resolve this vulnerability quickly.

"When code maturity is at proof-of-concept level, that means that somebody has taken it far enough that they've shown how to exploit it. A threat actor just needs to take it and weaponize it," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. "Just adding those finishing touches wouldn't take long."

Multiple print spooler vulnerabilities addressed

Printers continue to be the bane of the administrators' existence, and for February Patch Tuesday, Microsoft released fixes for a total of four Windows print spooler elevation-of-privilege vulnerabilities.

Chris Goettl, vice president of product management, IvantiChris Goettl

CVE-2022-21997, CVE-2022-21999, CVE-2022-22717 and CVE-2022-22718 all have a Common Vulnerability Scoring System (CVSS) score of at least 7. Many administrators still smarting from the PrintNightmare issue may wonder if these vulnerabilities are harbingers of more troubles.

"This is still a high-risk area that should be approached with a sense of urgency just to make sure things are not left lingering," Goettl said.

Administrators should also be mindful of a vulnerability with a relatively high CVSS score of 8.8. CVE-2022-22005 is a Microsoft SharePoint Server remote code execution bug that affects the following products: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2013 Service Pack 1 and Microsoft SharePoint Enterprise Server 2016.

"The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability," Microsoft wrote in the CVE notes.

Also with a CVSS score of 8.8 is a Windows DNS Server remote code execution vulnerability, CVE-2022-21984. This might not affect too many organizations because the DNS server is only at risk if it has dynamic enabled, which is not the default configuration. Also, this flaw only affects later Windows systems, including Windows 10 and Windows Server 2022 on the server side.

Microsoft releases updates for multiple CVEs

In Microsoft parlance, revision increments were distributed for the following three vulnerabilities on February Patch Tuesday:

  • CVE-2019-0887, a Remote Desktop Services remote code execution vulnerability, was initially posted on July 9, 2019, and reissued this month to add another affected product, the Remote Desktop client for Windows Desktop. The company said customers should run version 1.2.2691 or higher to avoid exploitation.
  • CVE-2021-34500 is Windows kernel memory information disclosure vulnerability originally posted on July 13, 2021, that Microsoft updated to cover more supported Windows systems. A successful exploit could result in memory content disclosure from a guest VM to Hyper-V host server.
  • CVE-2022-21871 is a Microsoft Diagnostics Hub Standard Collector runtime elevation-of-privilege vulnerability first released on Jan. 11. It was updated for February Patch Tuesday to include more affected versions of the Visual Studio code editor: Microsoft Visual Studio 2019 version 16.9, Microsoft Visual Studio 2019 version 16.7, Microsoft Visual Studio 2017 version 15.9 and Microsoft Visual Studio 2015 update 3.

January Windows vulnerability gets late zero-day label

Two days after it released the January Patch Tuesday security fixes, Microsoft issued an update on Jan. 13 to designate the Win32k elevation-of-privilege vulnerability CVE-2022-21882 as a zero-day. The bug has a CVSS of 7.0 and does not require user interaction. The vulnerability affects Windows 10/11 and Windows Server 2019/2022 systems.

"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver," Microsoft wrote in its CVE notes.

On Feb. 4, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog. As part of the agency's efforts to stop active attacks on unpatched systems that began in November 2021, federal civilian executive branch agencies with affected Windows systems must apply the patch by Feb. 18.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA wrote in its bulletin.

Goettl noted that threat actors are using CVE-2022-21882 in conjunction with CVE-2021-1732, another Win32k elevation-of-privilege vulnerability that the new vulnerability uses to circumvent the earlier patch.

Dig Deeper on Windows Server OS and management