It’s a fairly small release of patches this month with no exploits being reported in the wild and no vulnerabilities rated as critical. Does this mean we shouldn’t bother patching? Absolutely not! There are several vulnerabilities flagged as “Exploitation More Likely” meaning they are good targets for threat actors looking to find new ways to compromise organizations.
Print Spooler: the nightmare continues!
Is it really Patch Tuesday if we don’t talk about a vulnerability in the Windows Print Spooler Components? This month sees four new CVEs related to this heavily exploited component: CVE-2022-21999, CVE-2022-22718, CVE-2022-21997, and CVE-2022-22717.
They are all listed as Elevation of Privilege, which forms a key part of the attack chain. Once initial access has been gained, attackers will quickly seek to gain administrator level access so they can move across the network, compromise other devices and avoid detection by disabling security tooling.
CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This vulnerability is listed as remote code execution; however, the attacker also requires authenticated access with the ability to create new pages. This kind of vulnerability would likely be abused by an attacker that already has an initial foothold to move laterally across the network.
For organizations that use SharePoint for internal wikis or document stores, attackers could use this vulnerability to steal confidential information or replace documents with new versions that contain malicious code or macros to help them infect other systems.
CVE-2022-21996 – Win32k Elevation of Privilege Vulnerability
In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied.
February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.
January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to re-issue updates to fix some unexpected issues caused by the updates. This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy.
Kev Breen,
Director of Cyber Threat Research,
Immersive Labs
@kevthehermit