It was a relatively light Patch Tuesday for Microsoft this month. The Microsoft February 2022 Security Updates includes patches and advisories for 50 vulnerabilities, 16 of those remote code execution flaws and one zero-day. None are rated Critical.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:
- Azure Data Explorer
- Kestrel Web Server
- Microsoft Dynamics
- Microsoft Dynamics GP
- Microsoft Edge (Chromium-based)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft OneDrive
- Microsoft Teams
- Microsoft Windows Codecs Library
- Power BI
- Roaming Security Rights Management Services
- Role: DNS Server
- Role: Windows Hyper-V
- SQL Server
- Visual Studio Code
- Windows Common Log File System Driver
- Windows DWM Core Library
- Windows Kernel
- Windows Kernel-Mode Drivers
- Windows Named Pipe File System
- Windows Print Spooler Components
- Windows Remote Access Connection Manager
- Windows Remote Procedure Call Runtime
- Windows User Account Profile
- Windows Win32K.
Microsoft addressed 16 separate remote code execution (RCE) vulnerabilities in multiple versions of Windows 10, Windows 11, Windows Server (multiple), Microsoft Office, Microsoft SharePoint, Microsoft 365, Visual Studio, and multiple other software products.
The full list of the Microsoft RCE patches are as follows (along with CVSS base score):
- CVE-2022-21844: HEVC Video Extensions Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21926: HEVC Video Extensions Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21927: HEVC Video Extensions Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21957: Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability (CVSS 7.2)
- CVE-2022-21971: Windows Runtime Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21974: Roaming Security Rights Management Services Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21984: Windows DNS Server Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2022-21988: Microsoft Office Visio Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21991: Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-21992: Windows Mobile Device Management Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-21995: Windows Hyper-V Remote Code Execution Vulnerability (CVSS 7.9)
- CVE-2022-22003: Microsoft Office Graphics Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-22004: Microsoft Office ClickToRun Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-22005: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2022-22709: VP9 Video Extensions Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2022-23274: Microsoft Dynamics GP Remote Code Execution Vulnerability (CVSS 8.3).
At the time of the advisory publications, Microsoft did not identify any known public exploits of these vulnerabilities and noted exploitation is “less likely.”
Moreover, Microsoft also patched a Windows Kernel Elevation of Privilege Vulnerability CVE-2022-21989.
“In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” Microsoft noted in the advisory related to the scope change for this vulnerability.
Microsoft also confirmed exploitation is “more likely.”
WinVerifyTrust Signature Validation Vulnerability
In addition, Microsoft interestingly also re-released an older 2013 security update for a WinVerifyTrust Signature Validation vulnerability CVE-2013-3900:
“We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013.”
The RCE vulnerability is the result of how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files.
“An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft added.
Moreover, Microsoft noted an update continues to be available as an opt-in feature in all currently supported releases of Microsoft Windows, to include Windows 10 and 11. The update also requires a reg key update.
Other security updates
In addition to the High severity RCEs, Microsoft also patched an additional 34 other vulnerabilities across multiple products rated “Important” or “Moderate.” The tech giant also addressed 44 Microsoft Edge (Chromium-based) vulnerabilities.