Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.
While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.
“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,'” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”
Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”
“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”
Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.
“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”
February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.
One important item to note this week is that Microsoft announced it will start blocking Internet macros by default in Office. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.
As Andrew Cunningham writes for Ars Technica, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.
“Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,” Cunningham wrote. “The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.”
January’s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February’s comparatively light burden should give system administrators some breathing room, it shouldn’t be viewed as an excuse to skip updates.
“But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen said.
For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.
“… including several that Microsoft says will likely soon be exploited by malware or malcontents.”
As information it’s good but as boolean algebra and prose (malware OR malcontents) it is pretty Creepy-Trumpy or Trumpy-Creepy if you prefer.
I get enough of that from the Social Media-Social Engineering Industrial Complex (SM-SEIC). Someday Microsoft will stand up and say “we told you the Web was flawed” and I’ll be there with rotten tomatoes which I hasten to add are not getting any fresher as malcontent indicators.
Per article: “it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month”
Of course, this wasn’t a thing at all back when ‘everybody’ signed in as admins. Microsoft then gloated about how signing in as ‘standard’ user would stop 95% of all malware dead in their tracks! So more people did. Problem with that – like problem with their countless other ‘fixes’ – was how fundamentally hackable the OS itself was.
They finally started blocking macros by default! Why now and not 10 years ago? What changed!?
They’ve disabled automatic macro execution in downloaded documents for many years. The only problem is that macros could be re-enabled with just a click. Now it will require some real work to enable macros in downloaded documents.
“Real work” compared to a 1-click sure. We have a candidate for the “why now” – (unverified)
threatpost.com/china-suspected-news-corp-cyberespionage/178277/
Yes yes.
“Documents downloaded from untrusted locations will be given a “MOTW” [Mark of the Web] attribute used to block macros. The change will first roll out in the current generation of Office, with fixes for Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 being introduced at “a future date to be determined.”
-Actors will find a way.
ddg: LOLBins Regsvr32 “Squiblydoo” technique
“team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,” researchers warned. “During our analysis of these malware samples, we have identified that some of the malware samples belonged to Qbot and Lokibot attempting to execute .OCX files…97 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.” Most of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, which are types that contain embedded macros.
Light month on February’s security updates, I haven’t seen any major issues
Firefox also released version 97.0 today , noting major on this one
What’s been the trend over the past few years in the number of new critical vulnerabilities found in Microsoft OS and apps? Is there a good graph showing this? Yes, I know there’s millions of lines of code in their OS but you would think by now that some light is visible at the end of this tunnel.
It’s going to be a tunnel for as long as you’ll have the patience. This month is the anomaly.
They likely have some big tough bugs to squash that they couldn’t get done in 1 month,
and given the recent haphazard “see if it breaks something” approach maybe they wised up?
We’ll know next month. And the month after that.
It appears that CVE-2022-21996 applies to Windows 11 only.
I get “ Your device is missing important security and quality fixes” even before I try to update. I have seen lots of people getting this in February 2022. Any real ideas about what causes it?
Has anyone ever added up the total number of patches (so far) for Windows 10? The “most bug-free, heavily tested OS ever released back” in 2015.
Over the past 7 years (168 months), even if all the Patch Days have been “a light 48 more” patches, that would be 168×48, over 8 *THOUSAND* patches.
That can’t be right.
Can Microsoft’s Tuesday update program keep pace with the changing world?
Situations like Exploit Wednesday and the increase in the number of attacks beg one question – can it keep up? It can continue, but the quality of the updates should be more accurate. If a security patch causes a problem, it becomes a double-edged sword. IT administrators cannot upgrade, and they are open to a security threat.
One of the recent patch updates, October 2019, resulted in issues with the government’s shipment tracking system. They had to remove the update to fix the problem
Can Microsoft’s Tuesday update program keep pace with the changing world?
Situations like Exploit Wednesday and the increase in the number of attacks beg one question – can it keep up? It can continue, but the quality of the updates should be more accurate. If a security patch causes a problem, it becomes a double-edged sword. IT administrators cannot upgrade, and they are open to a security threat.
One of the recent patch updates, October 2019, resulted in issues with the government’s shipment tracking system. They had to remove the update to fix the problem
Why does Microsoft turn a blind eye to critical problems so far? I think everyone has seen all too well in the last few days that information is now much more valuable than gold and it is very stupid not to eliminate the risk from the company. How can we be sure that user authentication cannot be fixed by some random people in a matter of time? I may not understand all aspects of this, but it is a security issue and I as a user should understand everything.