In numbers, the patch Tuesday of December 2022 is a relatively light one for Windows users. Microsoft patched 48 vulnerabilities with only six considered critical. But numbers are only half the story. Two of the updates are zero-days with one of them known to be actively exploited.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
The vulnerability that is exploited in the wild is listed under CVE-2022-44698 and described as a Windows SmartScreen Security Feature bypass vulnerability. To understand how this works, you need to understand that files can be cryptographically signed in order to confirm who created them, and to confirm that they have not been changed since they were signed. Mark-of-the-Web (MOTW) is the name for the Windows technology that warns users of potential harm when downloading and opening a file from the internet or an email attachment. In other words, it’s a safety precaution in the form of a reminder that the user is about to use a risky file that might harm their computer. The problem is that a malformed signature bypasses all the warnings you should get, so you are bound to assume everything is dandy while it’s not.
DirectX Graphics Kernel
The other zero-day is labeled as “Exploitation Less Likely” but information about the vulnerability has been made public. The vulnerability is listed as CVE-2022-44710 and described as a DirectX Graphics Kernel Elevation of Privilege (EoP) vulnerability. To successfully exploit it the attacker would need to win a race condition. But if they succeed they could gain SYSTEM privileges.
A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.
Windows Secure Socket Tunneling Protocol
Two critical vulnerabilities we want to highlight were found in the Windows Secure Socket Tunneling Protocol (SSTP). CVE-2022-44670 and CVE-2022-44676 are remote code execution (RCE) vulnerabilities. Successful exploitation of these vulnerabilities requires an attacker to win a race condition but when successful could enable an attacker to remotely execute code on a remote access server (RAS).
A RAS is a type of server that provides a suite of services to remotely connected users over a network or the Internet. It operates as a remote gateway or central server that connects remote users with an organization’s internal local area network (LAN).
One more vulnerability we want to highlight because exploitation is more likely is listed as CVE-2022-41076 and described as a PowerShell RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment and to be authenticated. If these conditions are met, the attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. This seems a very likely candidate to be chained or exploited in combination with leaked or stolen login credentials.
As per usual, other vendors also released important updates:
Apple released several updates. More on that later.
Cisco released updates for Cisco IP Phone 7800 and 8800 phones.
Citrix released updates for Citrix ADC and Citrix Gateway.
Fortinet released an update to patch for an actively exploited FortiOS SSL-VPN vulnerability.
Google released an Android security bulletin we discussed last week.
SAP has released its round of December 2022 updates.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.