Microsoft’s Patch Tuesday update for the month of March has been made officially available with 71 fixes spanning across its software products such as Windows, Office, Exchange, and Defender, among others.
Of the total 71 patches, three are rated Critical and 68 are rated Important in severity. Although none of these vulnerabilities have been identified as being actively exploited at this time, they are all publicly available.
It’s worth pointing out that Microsoft separately addressed 21 flaws in the Chromium-based Microsoft Edge browser earlier this month.
All the three critical vulnerabilities remediated this month are remote code execution flaws impacting HEVC Video Extensions (CVE-2022-22006), Microsoft Exchange Server (CVE-2022-23277), and VP9 Video Extensions (CVE-2022-24501).
The Microsoft Exchange Server vulnerability was discovered by Markus Wulftange. It requires that the attacker be authenticated in order to exploit it.
” The attacker could use this vulnerability to target server accounts through remote or arbitrary code execution,” said the Windows manufacturer. The attacker, as an authenticated user could try to execute malicious code within the context of the server account by making a network call. “
“Critical vulnerability CVE-2022-23277 should also be a concern,” Kevin Breen, director of cyber threat research at Immersive Labs, said. “While requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email. “
The three zero-day bugs fixed by Microsoft are as follows –
- CVE-2022-24512 (CVSS score: 6. 3) – .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2022-21990 (CVSS score: 8. 8) – Remote Desktop Client Remote Code Execution Vulnerability
- CVE-2022-24459 (CVSS score: 7. 8) – Windows Fax and Scan Service Elevation of Privilege Vulnerability
Microsoft also labeled CVE-2022-21990 as “Exploitation More Likely” because of the public availability of a proof-of-concept (PoC) exploit, making it crucial that the updates are applied as soon as possible to avoid potential attacks.
Other defects of significance are a number of remote code execution flaws in Windows SMBv3 Client/Server, Microsoft Office, and Paint 3D, as well as privilege escalation flaws in Xbox Live Auth Manager, Microsoft Defender for IoT, and Azure Site Recovery.
In all, the patches close out 29 remote code execution vulnerabilities, 25 elevation of privilege vulnerabilities, six information disclosure vulnerabilities, four denial-of-service vulnerabilities, three security feature bypass vulnerabilities, three spoofing vulnerabilities, and one tampering vulnerability.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting —
- Juniper Networks
- Linux distributions Oracle Linux, Red Hat, and SUSE
- Mozilla Firefox and Firefox ESR
- Schneider Electric, and