Contact Information

The Square, Kenmare
Co. Kerry, V93 CY93

We Are Available 24/ 7. Call Now.

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
This batch had zero critical CVEs, which is unheard of. Most (50) of the patches are labeled Important, so don’t delay to apply the patches, security experts said.
Oh, blessed day: Microsoft’s Patch Tuesday is a featherweight in comparison to some of its not-atypical, 10-ton security updates, with just 51 patches — none of them rated critical.
For February, Microsoft’s releases address CVEs in Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code and Microsoft Teams.
Among these, Microsoft addressed one zero-day: CVE-2022-21989, a Windows Kernel elevation-of-privilege vulnerability. And, one of the updates is for a CVE first published in 2013.
This crop is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.
Of course, it’s not size that matters. But February’s patch-a-palooza is light not just in number of CVEs, but also in that it comes with nary a single patch that’s labeled critical.
Has that ever happened?
As of Monday afternoon, Dustin Childs, a researcher with Trend Micro’s Zero Day Initiative (ZDI) Zero Day Initiative (ZDI), was scratching his head on that one.
Infosec Insiders Newsletter
“It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one critical-rated patch,” Childs wrote in ZDI’s Patch Tuesday analysis. “It certainly hasn’t happened in recent memory.”
Childs noted that this February’s volume “is in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs.”
It follows the big batch that Microsoft baked for its January 2022 Patch Tuesday, when it addressed a total of 97 security vulnerabilities, including nine critical CVEs – one of which is a self-propagator with a 9.8 CVSS score, and six of which were listed as publicly known zero-days.
To add indigestion to overwork, the January patches immediately blew up. Since their release on Jan. 11, the updates started breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.
“Unfortunate that the Jan 11 updates have a number of serious flaws that mean they are un-deployable,” lamented one Threatpost reader. “That means our servers are unpatched and vulnerable to other security risks due to other bugs, until the next set of patches come out.”
Of the patches released today – that awaited “next set of patches” — 50 are rated important and one is rated moderate in severity.
Microsoft listed none of the February bugs as being under exploit, though one is listed as publicly known as the time of release. But as ZDI’s Childs pointed out, the same was true of last month’s release – for two days, at any rate, after which the company revised CVE-2022-21882 to indicate that “Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.”
If Microsoft learns otherwise, or changes its corporate mind, Childs promised that ZDI will update its analysis.
As for the zero-day elevation of privilege vulnerability in the Windows Kernel, Satnam Narang, staff research engineer at Tenable, noted via email: “While Microsoft rates the vulnerability as ‘exploitation more likely,’ the complexity to exploit the vulnerability is high, because of the added legwork required to prepare the target.”
He added, “This type of vulnerability is often leveraged by an attacker once they’ve already compromised the target, either through the use of a separate vulnerability or malware.”
As it does, ZDI has put up the full list of CVEs released by Microsoft for this month.
Childs also delved into four of the more interesting bugs. Here’s what he had to say:
Tenable’s Narang also pointed out that Microsoft also patched four elevation-of-privilege vulnerabilities in its Windows Print Spooler, including two rated “exploitation more likely.”
“One of these two flaws, CVE-2022-21999, is credited to researchers at Sangfor, who were responsible for disclosing some of the PrintNightmare vulnerabilities last summer,” Narang observed. “Because of the ubiquity of Print Spooler, vulnerabilities like this have been leveraged by ransomware groups.”
Danny Kim, principal architect at Virsec, noted that he found it interesting that Microsoft republished a CVE from 2013 to notify customers that an update to Windows 10/11 is available that addresses the original CVE.
“The CVE allows an attacker to inject malicious code into a signed application without invalidating the file’s original signature,” he explained in an email to Threatpost on Tuesday. “In Windows, signatures are used to verify that a file has not been modified since it was released by the original vendor. With the ability to inject malicious code into ‘verified’ applications, the attacker can gain complete control over a system especially if the user who runs the application has administrative privileges.”
He said that the attacker can go as far as creating new user accounts with full access, allowing the attacker to login to the machine at will.
Though the CVE is originally from 2013, it highlights two concerning facts, he said: “Patching is a slow-moving solution, and applications need to be monitored at all times. Patching is a post-attack solution that moves too slowly to keep up with today’s attacks. Applications, even verified ones, cannot just be checked when they start execution – their behavior throughout the lifetime of the application needs to be monitored and verified against expected behavior.”
In spite of the fact that there were no critical CVEs nor active exploits called out in the February Patch Tuesday release, security pros recommended, as they always do, that the patches should be applied as soon as possible.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Feb. 18 is the deadline to patch a bug that affects all unpatched versions of Windows 10 and requires zero user interaction to exploit.
However, groups are rebranding and recalibrating their profiles and tactics to respond to law enforcement and the security community’s focus on stopping ransomware attacks.
The now-patched flaw that led to the ForcedEntry exploit of iPhones was exploited by both NSO Group and a different, newly detailed surveillance vendor.
Richard on

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Meet Crane Hassold, a former FBI threat hunter who now uses his law enforcement background to track down…
1 hour ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.




Leave a Reply