December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft & More

Microsoft, a global leader in technology, has released its final batch of monthly security updates for 2022, containing fixes for 49 vulnerabilities in its software..

Six of the 49 bugs are classified as Critical, 40 as Important, and three as Moderate. The patches come on top of the 24 vulnerabilities that have been fixed since the beginning of the month in the Edge browser, which is based on Chromium.

- CyberInformer_Sticky RightBanner 300x600 high cpm *

Patch Tuesday for December addresses two zero-day flaws, one of which is being actively exploited and the other of which was listed as having been made public at the time of release.

ALSO, READ Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software

The former relates to CVE-2022-44698 (CVSS score: 5.4), one of the three security bypass issues in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections.

It’s worth noting that this issue, in conjunction with CVE-2022-41091 (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP archives.

ALSO, READ Microsoft Recently Releases Fix for Zero-Day Flaw (July 2022 Edition) Security Patch Rollout

December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft & More

“It allows attackers to craft documents that won’t get tagged with Microsoft’s ‘Mark of the Web’ despite being downloaded from untrusted sites,” Rapid7’s Greg Wiseman said. “This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros.”

Publicly disclosed, but not seen actively exploited, is CVE-2022-44710 (CVSS score: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that could enable an adversary to gain SYSTEM privileges.

“Successful exploitation of this vulnerability requires an attacker to win a race condition,” Microsoft pointed out in an advisory.

Also patched by Microsoft are multiple remote code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Windows Secure Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.

ALSO, READ Researchers Disclose Details of Critical ‘CosMiss’ RCE Flaw Affecting Azure Cosmos DB

Furthermore, the update also resolves 11 remote code execution vulnerabilities in Microsoft Office Graphics, OneNote, and Visio, all of which are rated 7.8 in the CVSS scoring system.

December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft & More

Two of the 19 elevation of privilege flaws remediated this month comprises fixes for the Windows Print Spooler component (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), continuing a steady stream of patches released by the company over the past year.

ALSO, READ Cybersecurity Threat: A Growing Issue In Nigeria – NCC Research

Last but not least, Microsoft has assigned the “Exploitation More Likely” tag to the PowerShell remote code execution vulnerability (CVE-2022-41076, CVSS score: 8.5) and Windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS score: 7.8), making it essential that users apply updates to mitigate potential threats.

Software Patches from Other Vendors#

In addition to Microsoft, security updates have also been released by other vendors over the past two weeks to rectify several vulnerabilities, including —