• Home
  • News
  • Microsoft December 2022 Patch Tuesday fixes

NEWS

Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws

Posted on December 13, 2022 by

Today is Microsoft’s December 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities, including an actively exploited bug, and a total of 49 flaws.

Six of the 49 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution, one of the most severe types of vulnerabilities.

The number of bugs in each vulnerability category is listed below:

  • 19 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 23 Remote Code Execution Vulnerabilities
  • 3 Information Disclosure Vulnerabilities
  • 3 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerability

The above counts do not include twenty-five Microsoft Edge vulnerabilities previously fixed on December 5th.

For information about the non-security Windows updates, you can read today’s articles on the Windows 10 KB5021233 and KB5021237 updates and the Windows 11 KB5021255 and KB5021234 updates.

Two zero-days fixed

This month’s Patch Tuesday fixes two zero-day vulnerabilities, one actively exploited and the other publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited and publicly disclosed zero-day vulnerability fixed in today’s updates are:

CVE-2022-44698 – Windows SmartScreen Security Feature Bypass Vulnerability discovered by Will Dormann.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”

Threat actors exploited this vulnerability by creating malicious stand-alone JavaScript files that were signed using a malformed signature.

When signed in this manner, it would cause SmartCheck to error out and not display a Mark of the Web security warnings, allowing the malicious scripts to run and install the malware automatically.

Threat actors actively exploited this flaw in numerous malware distribution campaigns, including ones spreading the QBot trojan and Magniber Ransomware.

The other publicly disclosed vulnerability is:

CVE-2022-44710 – DirectX Graphics Kernel Elevation of Privilege Vulnerability discovered by Luka Pribanić.

“Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

Recent updates from other companies

Other vendors who released updates in December 2022 include:

The December 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the December 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

 

Original Posts: Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws