The Microsoft March 2022 Security Updates includes patches and advisories for 71 vulnerabilities, 29 of those remote code execution flaws and three rated Critical.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:
- .NET and Visual Studio
- Azure Site Recovery
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Intune
- Microsoft Office Visio
- Microsoft Office Word
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Paint 3D
- Role: Windows Hyper-V
- Skype Extension for Chrome
- Tablet Windows User Interface
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows CD-ROM Driver
- Windows Cloud Files Mini Filter Driver
- Windows COM
- Windows Common Log File System Driver
- Windows DWM Core Library
- Windows Event Tracing
- Windows Fastfat Driver
- Windows Fax and Scan Service
- Windows HTML Platform
- Windows Installer
- Windows Kernel
- Windows Media
- Windows PDEV
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Desktop
- Windows Security Support Provider Interface
- Windows SMB Server
- Windows Update Stack
Microsoft addressed 3 Critical remote code execution (RCE) vulnerabilities in Microsoft Exchange Server, HEVC Video Extensions and VP9 Video Extensions:
- CVE-2022-23277: Microsoft Exchange Server RCE Vulnerability (CVSS 8.8)
- CVE-2022-22006: HEVC Video Extensions RCE Vulnerability (CVSS 7.8)
- CVE-2022-24501: VP9 Video Extensions RCE Vulnerability (CVSS 7.8)
Of special note, Microsoft noted that “exploitation is more likely” for the Exchange Server flaw CVE-2022-23277.
Moreover, Microsoft also fixed another RCE vulnerability CVE-2022-21990 rated Important in Remote Desktop that also is more likely to be exploited according to Microsoft.
“In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client,” the software giant noted in the advisory.
At the time of the advisory publications, Microsoft did not identify any known public exploits of these vulnerabilities.
Other security updates
In addition to the Critical and Important severity RCEs, Microsoft also patched an additional 67 other vulnerabilities across multiple products rated “Important” or “Moderate.” The tech giant also addressed 29 Microsoft Edge (Chromium-based) vulnerabilities.