March 9, 2022

Microsoft on Tuesday released software updates to plug at least 70 security holes in its Windows operating systems and related software. For the second month running, there are no scary zero-day threats looming for Windows users, and relatively few “critical” fixes. And yet we know from experience that attackers are already trying to work out how to turn these patches into a roadmap for exploiting the flaws they fix. Here’s a look at the security weaknesses Microsoft says are most likely to be targeted first.

Greg Wiseman, product manager at Rapid7, notes that three vulnerabilities fixed this month have been previously disclosed, potentially giving attackers a head start in working out how to exploit them. Those include remote code execution bugs CVE-2022-24512, affecting .NET and Visual Studio, and CVE-2022-21990, affecting Remote Desktop Client. CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated “Important” by Microsoft.

Just three of the fixes this month earned Microsoft’s most-dire “Critical” rating, which Redmond assigns to bugs that can be exploited to remotely compromise a Windows PC with little to no help from users. Two of those critical flaws involve Windows video codecs. Perhaps the most concerning critical bug quashed this month is CVE-2022-23277, a  remote code execution flaw affecting Microsoft Exchange Server.

“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it,” Wiseman said. “Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.”

CVE-2022-24508 is a remote code execution bug affecting Windows SMBv3, the technology that handles file sharing in Windows environments.

“This has potential for widespread exploitation, assuming an attacker can put together a suitable exploit,” Wiseman said. “Luckily, like this month’s Exchange vulnerabilities, this, too, requires authentication.”

Kevin Breen, director of cyber threat research at Immersive Labs, called attention to a trio of bugs fixed this month in the Windows Remote Desktop Protocol (RDP), which is a favorite target of ransomware groups.

CVE-2022-23285, CVE-2022-21990 and CVE-2022-24503 are a potential concern especially as this infection vector is commonly used by ransomware actors,” Breen said. “While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority.”

March’s Patch Tuesday also brings an unusual update (CVE-2022-21967) that might just be the first security patch involving Microsoft’s Xbox device.

“This appears to be the first security patch impacting Xbox specifically,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself.”

Also on Tuesday, Adobe released updates addressing six vulnerabilities in Adobe Photoshop, Illustrator and After Effects.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

21 thoughts on “Microsoft Patch Tuesday, March 2022 Edition

  1. Marc Silverman

    Just wondering, does Microsoft have so many more patches necessary than the Apple OS, or are they just more transparent about reporting them? I would think Apple would certainly have a need for weekly patches too, or perhaps not?

    1. Tarek Okail

      MacOS is apparently less exploited because it is less common, though since the iPhone was released, MacOS and iOS have both come under increasing attack. And since MacOS is based off a Linux/Unix fork, and Linux is *very much* under attack because of its use in enterprise servers… MacOS really should be getting more patches than it does. It is very likely that there just isn’t enough scrutiny of Apple’s operating systems on the ‘discovery and mitigation of exploits’ side.

    2. Dave Horsfall

      If you’ve ever used both, you’ll see that Apple takes security seriously e.g. software in the Apple store has to be signed by Apple unless you want to risk it, and MacPorts vets their software pretty closely. Sometimes its security gets in my way 🙂

      1. JamminJ

        I use both too.
        It’s not so much that they take security more seriously, but rather they want a more walled garden proprietary product. Apple doesn’t play well with others. So they do everything themselves. This is a benefit for security, but not the primary reason. Having good MFA on apple devices would be better security, but they don’t want to let 3rd parties in to implement better security.

  2. Mike Larkin

    Ran Windows Update on my Windows 11 laptop and no updates were called for it. My Windows 10 machines had updates.

  3. Anthony Oveka

    Brian, you always say to backup before you patch, so I am wondering if a restore point is good enough. I use my computer to pay bills thru my bank or on site. After that, it’s email and surfing the web and y-tube. Any thoughts?

    1. Kent Brockman

      Use Macrium Reflect to create an image of your system drive, it’s easy, fast and free.

    2. Steve

      Most of the time the restore points will be sufficient for fixing random patch issues. But in the off chance you have a hard drive failure or things go really sideways it’s always a good idea to have a backup of important files in a seperate hard drive or in the cloud. If there isn’t anything on your computer you can’t live without the restore points are fine.

  4. GSG

    W10 Sky Tech desktop.
    After February update I get the message
    “You’re not up to date.
    Your device is missing important security and quality fixes.”
    Checking for updates again repeats the above message, but there is nothing listed to be downloaded.
    Comes the March update.
    Updated the Malicious Software removal tool. No other update comes up.
    Same message as in February, same result when re-checking for updates.

  5. Sharon Moore

    hi – any way to fix printing from Edge, that cuts off half of the selection I want to print? Ta, Sharon

  6. Doug @ Milwaukee

    0) As always, Thank You Brian Krebs for your articles. My comrades and I support hundreds of irregular hosts; I regularly read your page, and religiously check after Patch Tuesday.

    1) Tarek, Apple IOSis based off of BSD with a Darwin GUI on top; if it were Linux, licensing would require it to be Open Source.

    2) David, Microsoft implements some kind of “random availability” pecking order function after introducing its patches so as to avoid hundreds of mllions PCs all hosing its servers and the Internef pipeline at the same time. Home Edition is probably even lower in the release schedule; give it a day or so. PS I suggest making sure to Shutdown and RESTART your machine prior to running Windows Update.

  7. Naltraj

    I hope that CVE-2022-21967 security for xbox device allow the ds4windows driver work for my dualsense 4

  8. DMV Now

    I appreciate the information and advice you have shared.

  9. Udel

    The high volume of disclosures is becoming more of a marketing stunt then something else. IMHO
    It is true that Microsoft correct many problems but they do not communicate openly anymore, repress CVE as an CNA so that security by obscurity becomes a thing.
    They release the cve up to 9 days after the patch with oneliners and often no proof/explaination of what the problem is so:
    1) you cannot monitor or anticipate detected problems as the cve is ‘repressed’ until after the patch
    2)On breach it can take up to 9 days to figure out a change in patching and possible problems detected as root cause of a breach. Often third parties inform you better then Microsoft.
    3) Disclosed oneliner CVE by Microsoft often give you no further info = marketing stunt to me as it has no value anymore. It says just something more then we fixed a problem.

    So post like this are a breather because sometimes before microsoft cve disclosure, you have more info then they will ever give you.
    Keep up the good work!

    1. an_n

      Agree one line of description is meaningless without further POC support or vuln confirmation.
      By the time it takes to find, disclose, await patch (N+1 years sometimes) they’re on to Win12 SE.
      Your vuln is no longer officially going to be supported, go code old sand. Step 2, rebrand IE again.
      I’m thinking Warp iOSx2 or something snappy like MS-META

  10. jon

    After the latest update, it looks to have broke network printing on my computer by removing user profile communication to the server. I removed the print queue and readded. Has anyone else had this issue?

Comments are closed.