Microsoft Patch Tuesday For December 2022 Fixes Two Zero-Days

This week, Microsoft rolled out its monthly scheduled updates for Windows systems. The December Patch Tuesday was the last Microsoft update for 2022, fixing two zero-day vulnerabilities and 50 other flaws.

Microsoft Addressed Two Zero-Day Vulnerabilities

Regarding the zero-day bugs, the first vulnerability existed in the Windows SmartScreen feature. While it was a medium-severity flaw (CVSS 5.4), it became serious as it caught the attention of criminal hackers before receiving a fix.

Elaborating on this vulnerability, CVE-2022-44698, Microsoft mentioned it as a security bypass that allowed maliciously crafted files to evade the Mark of the Web (MOTW) security checks. An attacker could exploit the flaw via maliciously designed websites (for web-based attacks), spam emails or messages carrying malicious URLs, or compromised websites. The firm has credited Will Dormann for reporting the flaw.

The second zero-day vulnerability, CVE-2022-44710, existed in the DirectX Graphics Kernel. Microsoft defined it as a privilege escalation vulnerability allowing SYSTEM access to an attacker winning race condition (a requisite for exploiting the flaw). It was an important-severity flaw with a CVSS score of 7.5. The firm acknowledged Luka Pribanić for reporting the bug.

Other Microsoft Patch Tuesday December Updates

Alongside the two zero-days, Microsoft has also addressed numerous other security vulnerabilities across different products. These include six critical remote code execution vulnerabilities affecting the Microsoft SharePoint Server, PowerShell, and Windows Secure Socket Tunneling Protocol (SSTP).

Then, the update bundle includes 42 vulnerability fixes for important-severity issues. Exploiting these bugs could lead to elevated privileges, remote code execution, information disclosure, denial of service, or even spoofing. Most RCE flaws existed in the Microsoft Office Graphics (CVSS 7.8). Besides, other vulnerable products include Microsoft Office Visio, Outlook, Bluetooth Driver, Windows Graphics Component, Hyper-V, Windows Media, Print Spooler, and Windows Kernel.

Lastly, the last Patch Tuesday for 2022 addressed two moderate severity issues in Windows Graphics Component (CVE-2022-44697, CVSS 7.8) and Microsoft Edge (CVE-2022-44688, CVSS 4.3).

While these updates automatically reach the supported Windows systems, users may also check for updates manually to ensure receiving the patches in time.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients