The most critical updates for this “Patch Tuesday” come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February 2022 Patch Tuesday release, none of them are ranked as critical. Firefox and Adobe however have fixed a few issues that could be qualified as critical.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the ones that jumped out at us.
Mozillafixed a dozen security vulnerabilities in its Firefox browser. The two most important ones are both permissions issues:
- CVE-2022-22753A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access. This bug only affects Firefox on Windows. Other operating systems are unaffected.
- CVE-2022-22754If a user installs an extension of a particular type, the extension could have auto-updated itself and, while doing so, bypass the prompt which grants the new version the new requested permissions.
Two other vulnerabilities were classified as high. Those two are both memory safety bugs that with enough effort could have been exploited to run arbitrary code. These vulnerabilities were found by Mozilla developers.
Adobereleased updates to fix 17 CVEs affecting Premiere Rush, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Of these 17 vulnerabilities, five are rated as critical.
- CVE-2022-23203A buffer overflow vulnerability that could lead to arbitrary code execution in Photoshop 2021 and Photoshop 2022 for Windows and macOS.
- CVE-2022-23186An out-of-bounds write vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
- CVE-2022-23188A buffer overflow vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
- CVE-2022-23200An out-of-bounds write vulnerability that could lead to arbitrary code execution in Adobe After Effects 18.4.3, 22.1.1 and earlier versions for Windows and macOS.
- CVE-2022-23202Uncontrolled search path element vulnerability that could lead to arbitrary code execution in the Creative Cloud Desktop Application installer 220.127.116.11 and earlier versions on Windows.
Even though no Microsoft vulnerabilities were listed as critical, there are a few that deserve some attention.
- CVE-2022-21989a Windows Kernel elevation-of-privilege vulnerability. According to the Microsoft advisory, successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. But in such a case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
- CVE-2022-21996a Win32k elevation of privilege vulnerability listed as more likely to be exploited. The exploitation is known to be easy. The attack may be initiated remotely, but requires simple authentication for exploitation.
- CVE-2022-22005a Microsoft SharePoint Server Remote Code Execution vulnerability. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. This permission however is often present for an authenticated user.
- CVE-2022-21984a Windows DNS Server Remote Code Execution vulnerability. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might take control of your DNSand execute code with elevated privileges if you have this set up in your environment.
Given the amount of available stolen login credentials, organizations shouldn't disregard the vulnerabilities that require authentication, especially where it concerns public-facing servers. We hope this quick summary makes it easier for you to prioritize your updating jobs.
Stay safe, everyone!