Tech large Microsoft launched its final set of month-to-month safety updates for 2022 with fixes for 49 vulnerabilities throughout its software program merchandise.
Of the 49 bugs, six are rated Crucial, 40 are rated Essential, and three are rated Average in severity. The updates are along with 24 vulnerabilities which have been addressed within the Chromium-based Edge browser for the reason that begin of the month.
December’s Patch Tuesday plugs two zero-day vulnerabilities, one which’s actively exploited and one other challenge that is listed as publicly disclosed on the time of launch.
The previous pertains to CVE-2022-44698 (CVSS rating: 5.4), one of many three safety bypass points in Home windows SmartScreen that could possibly be exploited by a malicious actor to evade mark of the online (MotW) protections.
“It permits attackers to craft paperwork that will not get tagged with Microsoft’s ‘Mark of the Internet’ regardless of being downloaded from untrusted websites,” Rapid7’s Greg Wiseman mentioned. “This implies no Protected View for Microsoft Workplace paperwork, making it simpler to get customers to do sketchy issues like execute malicious macros.”
Publicly disclosed, however not seen actively exploited, is CVE-2022-44710 (CVSS rating: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that might allow an adversary to achieve SYSTEM privileges.
“Profitable exploitation of this vulnerability requires an attacker to win a race situation,” Microsoft identified in an advisory.
Additionally patched by Microsoft are a number of distant code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Home windows Safe Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.
Moreover, the replace additionally resolves 11 distant code execution vulnerabilities in Microsoft Workplace Graphics, OneNote, and Visio, all of that are rated 7.8 within the CVSS scoring system.
Two of the 19 elevation of privilege flaws remediated this month contains fixes for the Home windows Print Spooler element (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), persevering with a gradual stream of patches launched by the corporate over the previous 12 months.
Final however not least, Microsoft has assigned the “Exploitation Extra Doubtless” tag to the PowerShell distant code execution vulnerability (CVE-2022-41076, CVSS rating: 8.5) and Home windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS rating: 7.8), making it important that customers apply updates to mitigate potential threats.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous two weeks to rectify a number of vulnerabilities, together with —