close

Home

Windows 10

Windows 11

Windows Client OS

Patch Tuesday February 2022 – Microsoft Teams, Outlook, and Windows Get Important Updates

Russell Smith

|
Patch Tuesday February 2022 – Teams, Outlook, and Windows Get Important Updates

Microsoft releases 51 patches, fixing 48 bugs, including 1 zero-day flaw. There’s also an update for all Teams clients and Outlook on Mac on February, 2022 Patch Tuesday.

Windows and Windows Server Patch Tuesday February 2022 updates

This month Microsoft patched a remote code execution vulnerability (CVE-2022-21984) in Microsoft DNS server. The bug can only be exploited if dynamic DNS updates are enabled on the server. If you have dynamic updates enabled, it could let a malicious actor run code on the server with admin rights.

A remote code execution flaw in Hyper-V could let an attacker escape a guest virtual machine and access the host server. Microsoft has rated the issue High. But if you are using Hyper-V, you should get your servers patched as soon as possible.

There are also updates for Microsoft’s HVEC and VP9 video extensions for Windows. The extensions are distributed using the Microsoft Store, as are the updates available for them this month.

A Denial of Service (DoS) vulnerability in the .NET Framework affects applications that work with the Kestrel web server. Kestrel is a cross-platform server that is designed to work with ASP.NET Core. It is included and enabled by default with ASP.NET Core project templates.

So, if you have a Kestrel server exposed on the public Internet, make sure you get the patch for .NET applied to block DoS attacks using HTTP/2 and HTTP/3 requests.

Microsoft Teams

It’s not often I write here about security updates for Microsoft Teams. But this month, there’s a patch for all versions of Teams on all platforms, including iOS and Android. Microsoft hasn’t made any details about the flaw public yet.

SharePoint Server

There’s a fix this month to patch a bug in SharePoint Server (CVE-2022-22005) that might allow any authenticated user to run .NET code in the context of the SharePoint Web Application service account. The user would need Manage List permissions to exploit the flaw.

Microsoft Office

Outlook for Mac gets a patch for a security feature bypass flaw that might cause images to appear in the Preview Pane automatically, regardless of whether the option is turned on or off. Update Outlook on Mac to get the patch for this issue.

Table 1 – Microsoft Patch Tuesday updates, February 2021

Product Impact Severity Article Download Details
PowerBI-client JS SDK Information Disclosure Important Release Notes Security Update CVE-2022-23254
.NET 6.0 Denial of Service Important Release Notes Security Update CVE-2022-21986
Microsoft Teams Admin Center Denial of Service Important Release Notes Security Update CVE-2022-21965
SQL Server 2019 for Linux Containers Elevation of Privilege Important 5010657 Security Update CVE-2022-23276
Microsoft Outlook 2016 for Mac Security Feature Bypass Important App Store Security Update CVE-2022-23280
Microsoft Dynamics GP Remote Code Execution Important Release Notes Security Update CVE-2022-23274
Microsoft Dynamics GP Elevation of Privilege Important Release Notes Security Update CVE-2022-23273
Microsoft Dynamics GP Elevation of Privilege Important Release Notes Security Update CVE-2022-23272
Microsoft Dynamics GP Elevation of Privilege Important Release Notes Security Update CVE-2022-23271
Microsoft Dynamics GP Spoofing Important Release Notes Security Update CVE-2022-23269
Azure Data Explorer Spoofing Important CVE-2022-23256
OneDrive for Android Security Feature Bypass Important App Store Security Update CVE-2022-23255
Microsoft Office 2013 Service Pack 1 (64-bit editions) Information Disclosure Important 3172514 Security Update CVE-2022-23252
Microsoft Office 2013 Service Pack 1 (64-bit editions) Remote Code Execution Important 5002146 Security Update CVE-2022-22003
Microsoft SharePoint Server Subscription Edition Remote Code Execution Important 5002145 Security Update CVE-2022-22005
Microsoft 365 Apps for Enterprise for 64-bit Systems Remote Code Execution Important Click to Run Security Update CVE-2022-22004
Windows Server 2012 R2 (Server Core installation) Denial of Service Important 5010419 Monthly Rollup CVE-2022-22002
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-22001
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-22000
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-21999
Windows Server 2012 R2 (Server Core installation) Information Disclosure Important 5010419 Monthly Rollup CVE-2022-21998
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-21997
Windows 11 for ARM64-based Systems Elevation of Privilege Important 5010386 Security Update CVE-2022-21996
Windows Server 2016  (Server Core installation) Remote Code Execution Important 5010359 Security Update CVE-2022-21995
Windows 10 Version 21H2 for x64-based Systems Elevation of Privilege Important 5010342 Security Update CVE-2022-21994
Windows Server 2012 R2 (Server Core installation) Information Disclosure Important 5010419 Monthly Rollup CVE-2022-21993
Windows Server 2016  (Server Core installation) Remote Code Execution Important 5010359 Security Update CVE-2022-21992
Visual Studio Code Remote Code Execution Important Release Notes Security Update CVE-2022-21991
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-21989
Microsoft Office LTSC 2021 for 32-bit editions Remote Code Execution Important Click to Run Security Update CVE-2022-21988
Microsoft SharePoint Server Subscription Edition Spoofing Important 5002145 Security Update CVE-2022-21987
Microsoft Office Web Apps Server 2013 Service Pack 1 Information Disclosure Important 5002149 Security Update CVE-2022-22716
VP9 Video Extensions Remote Code Execution Important MS Store Information Security Update CVE-2022-22709
Microsoft SharePoint Foundation 2013 Service Pack 1 Security Feature Bypass Important 5002155 Security Update CVE-2022-21968
Microsoft Dynamics 365 (on-premises) version 9.0 Remote Code Execution Important CVE-2022-21957
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-21981
Windows 10 Version 21H2 for x64-based Systems Remote Code Execution Important 5010342 Security Update CVE-2022-21984
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-22718
Windows Server 2012 R2 (Server Core installation) Information Disclosure Important 5010419 Monthly Rollup CVE-2022-21985
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5010419 Monthly Rollup CVE-2022-22717
Windows 10 Version 21H2 for x64-based Systems Elevation of Privilege Important 5010342 Security Update CVE-2022-22715
Windows 10 Version 21H2 for x64-based Systems Denial of Service Important 5010342 Security Update CVE-2022-22712
Windows Server 2016  (Server Core installation) Remote Code Execution Important 5010359 Security Update CVE-2022-21974
Windows 10 Version 21H2 for x64-based Systems Remote Code Execution Important 5010342 Security Update CVE-2022-21971
HEVC Video Extensions Remote Code Execution Important Description Security Update CVE-2022-21927
HEVC Video Extensions Remote Code Execution Important Description Security Update CVE-2022-21926
HEVC Video Extensions Remote Code Execution Important Description Security Update CVE-2022-21844
Windows Server 2012 R2 (Server Core installation) Denial of Service Important 5010419 Monthly Rollup CVE-2022-22710

Adobe

Adobe released 5 patches this month fixing 17 bugs in Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush, although none are thought to be used currently in active attacks.

The patch for Adobe Illustrator fixes a critical bug that could allow an attacker to run code of their choice on an affected system. The Creative Cloud Desktop update also plugs a critical remote code execution flaw.

Photoshop and After Effects also get critical security updates. And unusually, there aren’t any security fixes for Adobe Acrobat or Adobe Reader.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.

But that is it for another month and happy patching!

Article saved!

Access saved content from your profile page. View Saved