Microsoft February 2022 Patch Tuesday: Addressing Vulnerabilities
Written on
Overview of February 2022 Patch Tuesday
On February 2022's Patch Tuesday, Microsoft released updates that tackled one zero-day vulnerability along with a total of 48 security issues. This announcement highlighted that none of these vulnerabilities were deemed critical, although 22 were specific to Microsoft Edge.
The distribution of vulnerabilities is as follows:
- 16 Elevation of Privilege Vulnerabilities
- 3 Security Feature Bypass Vulnerabilities
- 16 Remote Code Execution Vulnerabilities
- 5 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
- 22 Edge — Chromium Vulnerabilities
The updates for Windows 10 (KB5010342 and KB5010345) and Windows 11 (KB5010386) also included details on non-security related improvements. Notably, the zero-day vulnerability addressed in this month’s updates was publicly disclosed.
Fortunately, there were no reports of any zero-day vulnerabilities being actively exploited during this Patch Tuesday. A zero-day vulnerability is defined by Microsoft as one that has been publicly disclosed or is widely exploited without an official patch.
Details on the Vulnerabilities
Among the vulnerabilities disclosed in this Patch Tuesday, the Windows Kernel Elevation of Privilege Vulnerability (CVE-2022–21989) was highlighted. However, given that there are publicly available proof-of-concept exploits, these vulnerabilities are likely to be targeted by malicious actors soon.
In addition to Microsoft's updates, other vendors also released security updates in February 2022. Android’s security patches were released yesterday, and Cisco provided updates for various devices, including Cisco Small Business RV routers, Snort, and Cisco DNA Center. SAP also announced its own security enhancements for this month.
The complete list of vulnerabilities and advisories addressed in February 2022's Patch Tuesday can be found below. For detailed descriptions of each vulnerability and the systems affected, refer to the full report.
Vulnerability Details
The following vulnerabilities have been addressed:
- Azure Data Explorer: CVE-2022–23256 Spoofing Vulnerability
- Kestrel Web Server: CVE-2022–21986 .NET Denial of Service Vulnerability
- Microsoft Dynamics:
- CVE-2022–21957 Remote Code Execution Vulnerability
- CVE-2022–23272 Elevation of Privilege Vulnerability
- CVE-2022–23274 Remote Code Execution Vulnerability
- Microsoft Edge (Chromium-based):
- CVE-2022–0469 Use after free in Cast
- CVE-2022–0467 Inappropriate implementation in Pointer Lock
- Microsoft Office:
- CVE-2022–22004 ClickToRun Remote Code Execution Vulnerability
- CVE-2022–23252 Information Disclosure Vulnerability
...
Chapter 2: Additional Security Updates and Resources
In this video, Microsoft addresses patches for six actively exploited zero-day vulnerabilities. Users are strongly urged to install updates as soon as possible.
This Cyber News video discusses the recent Microsoft patches, focusing on two zero-days, the implications of Patch Tuesday, the rise in ransomware, and insights into the Spectre v2 exploit.