Patch Tuesday – March 2022

Microsoft released 71 fixes this month, 3 of which are rated Critical and 68 Important. While three are publicly known at the time they were released, none are believed to be in active use by hackers.

Windows and Windows Server

Microsoft released an update for CVE-2022-21990, which is a Remote Desktop Client (RDP) remote code execution flaw that an attacker could use to trick an affected client connecting to a malicious RDP server. In turn, the hacker could run code on the affected client.

A remote code execution bug (CVE-2022-24508) in the Windows SMBv3 client and server components gets patched. While this is hard to exploit because the attacker must be authenticated, it could let a malicious actor move laterally around your network, so it’s wise to get this bug patched quickly.

There are some critical bug fixes for the HEVC and VP9 video extensions in Windows. If you have them installed, these components should update automatically via the Microsoft Store. Provided you haven’t turned off automatic updates for Store apps.

Some escalation of privileges bugs in the following Windows components also get fixes:

  • FAT file system
  • Fax and Scan Service
  • CD-ROM driver
  • Windows PDEV

Hyper-V gets a patch for a denial of service (DoS) flaw. And another DoS flaw is patched in the Point-to-Point Tunneling (PPTP) protocol.

Microsoft Azure

This month Azure gets fixes for 11 CVEs that are connected to the Azure Site Recovery service. There are fixes for five elevation of privilege flaws and six remote code execution bugs in the service software. So, if you are using Azure Site Recovery for your organization’s disaster recovery, it’s worth looking at what needs to be updated as soon as you can.

Exchange Server

There’s a patch for a remote code execution bug in Microsoft Exchange Server (CVE-2022-21990). The flaw could let an authenticated attacker run code with admin rights using a network call. Because this bug is easy to exploit, you should patch your Exchange servers as soon as possible. But of course, only after testing the patch.

Microsoft Office

It’s not often I mention Visio here, in fact this might be a first. But this month, there are three patches for Microsoft’s diagramming software.

And Microsoft Word gets a patch for a tampering flaw that could let an attacker steal information from an affected client using the Preview Pane.

Visual Studio

And if you are a developer using Visual Studio, make sure you update your software this month to get patches for publicly known remote code execution vulnerabilities in .NET and Visual Studio.

Table 1 – Microsoft Patch Tuesday updates, March 2022

Product Impact Severity Article Download Details
Microsoft Defender for Endpoint EDR sensor Spoofing Important Information Security Update CVE-2022-23278
Windows 10 for 32-bit Systems Elevation of Privilege Important 5011491 Security Update CVE-2022-23283
Windows Server 2016  (Server Core installation) Elevation of Privilege Important 5011495 Security Update CVE-2022-23293
Windows 10 Version 21H1 for 32-bit Systems Elevation of Privilege Important 5011487 Security Update CVE-2022-23288
Windows 10 Version 21H1 for 32-bit Systems Elevation of Privilege Important 5011487 Security Update CVE-2022-24525
Windows Server 2016  (Server Core installation) Elevation of Privilege Important 5011495 Security Update CVE-2022-23287
Microsoft Visual Studio 2022 version 17.0 Remote Code Execution Important Release Notes Security Update CVE-2020-8927
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 – 16.8) Remote Code Execution Important Release Notes Security Update CVE-2022-24512
Microsoft Exchange Server 2019 Cumulative Update 11 Spoofing Important 5012698 Security Update CVE-2022-24463
Microsoft 365 Apps for Enterprise for 64-bit Systems Tampering Important Click to Run Security Update CVE-2022-24511
Microsoft Office LTSC 2021 for 32-bit editions Security Feature Bypass Important Click to Run Security Update CVE-2022-24462
Windows 10 Version 21H1 for 32-bit Systems Information Disclosure Important 5011487 Security Update CVE-2022-24503
Windows 10 Version 1909 for ARM64-based Systems Elevation of Privilege Important 5011485 Security Update CVE-2022-24455
Windows Server, version 20H2 (Server Core Installation) Elevation of Privilege Important 5011487 Security Update CVE-2022-24454
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Elevation of Privilege Important 5011534 Monthly Rollup CVE-2022-24459
Windows 10 Version 20H2 for x64-based Systems Security Feature Bypass Important 5011487 Security Update CVE-2022-24502
Windows Server, version 20H2 (Server Core Installation) Elevation of Privilege Important 5011487 Security Update CVE-2022-23299
Windows Server 2022 Elevation of Privilege Important 5011497 Security Update CVE-2022-23298
Windows 10 Version 1809 for 32-bit Systems Remote Code Execution Important 5011503 Security Update CVE-2022-23294
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5011564 Monthly Rollup CVE-2022-23290
Windows RT 8.1 Remote Code Execution Important 5011486 IE Cumulative CVE-2022-23285
Windows Server 2012 R2 (Server Core installation) Elevation of Privilege Important 5011564 Monthly Rollup CVE-2022-23284
Windows 10 Version 21H2 for x64-based Systems Elevation of Privilege Important 5011487 Security Update CVE-2022-23291
Microsoft 365 Apps for Enterprise for 64-bit Systems Remote Code Execution Important Click to Run Security Update CVE-2022-24461
Windows 11 for x64-based Systems Elevation of Privilege Important 5011493 Security Update CVE-2022-24460
Windows 10 for x64-based Systems Information Disclosure Important 5011491 Security Update CVE-2022-23281
Windows 10 Version 1607 for x64-based Systems Information Disclosure Important 5011495 Security Update CVE-2022-23297
Windows 8.1 for x64-based systems Elevation of Privilege Important 5011564 Monthly Rollup CVE-2022-23296
Windows 10 Version 21H2 for x64-based Systems Information Disclosure Important 5011487 Security Update CVE-2022-22010
Windows 10 Version 21H2 for 32-bit Systems Information Disclosure Important 5011487 Security Update CVE-2022-21977
Windows 10 Version 21H1 for 32-bit Systems Remote Code Execution Important 5011487 Security Update CVE-2022-24508
Microsoft Exchange Server 2019 Cumulative Update 11 Remote Code Execution Critical 5012698 Security Update CVE-2022-23277
Windows Server 2016  (Server Core installation) Elevation of Privilege Important 5011495 Security Update CVE-2022-24507
Microsoft Defender for IoT Elevation of Privilege Important Release Notes Security Update CVE-2022-23266
Microsoft Defender for IoT Remote Code Execution Important Release Notes Security Update CVE-2022-23265
Windows Server 2012 R2 (Server Core installation) Denial of Service Important 5011564 Monthly Rollup CVE-2022-23253
Windows 10 Version 21H2 for ARM64-based Systems Remote Code Execution Important 5011487 Security Update CVE-2022-21990
Azure Site Recovery VMWare to Azure Elevation of Privilege Important Release Notes Security Update CVE-2022-24519
Azure Site Recovery VMWare to Azure Elevation of Privilege Important Release Notes Security Update CVE-2022-24518
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24470
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24467
Azure Site Recovery VMWare to Azure Elevation of Privilege Important Release Notes Security Update CVE-2022-24515
Azure Site Recovery VMWare to Azure Elevation of Privilege Important Release Notes Security Update CVE-2022-24506
Microsoft Visual Studio 2022 version 17.0 Denial of Service Important Release Notes Security Update CVE-2022-24464
Skype Extension for Chrome Information Disclosure Important Release Notes Security Update CVE-2022-24522
Intune Company Portal for iOS Security Feature Bypass Important Release Notes Security Update CVE-2022-24465
Visual Studio Code Spoofing Important Release Notes Security Update CVE-2022-24526
Microsoft Office LTSC 2021 for 32-bit editions Remote Code Execution Important Click to Run Security Update CVE-2022-24510
Windows 10 Version 20H2 for x64-based Systems Denial of Service Important 5011487 Security Update CVE-2022-21975
Microsoft Office LTSC 2021 for 32-bit editions Remote Code Execution Important Click to Run Security Update CVE-2022-24509
Azure Site Recovery VMWare to Azure Elevation of Privilege Important Release Notes Security Update CVE-2022-24469
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24517
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24468
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24471
Azure Site Recovery VMWare to Azure Remote Code Execution Important Release Notes Security Update CVE-2022-24520
Windows 10 Version 1607 for x64-based Systems Elevation of Privilege Important 5011495 Security Update CVE-2022-21967
HEIF Image Extension Remote Code Execution Important Update Information Security Update CVE-2022-24457
VP9 Video Extensions Remote Code Execution Important MS Store Information Security Update CVE-2022-24451
Raw Image Extension Remote Code Execution Important Update Information Security Update CVE-2022-23300
VP9 Video Extensions Remote Code Execution Critical MS Store Information Security Update CVE-2022-24501
Raw Image Extension Remote Code Execution Important Update Information Security Update CVE-2022-23295
HEVC Video Extensions Remote Code Execution Important Update Information Security Update CVE-2022-24456
HEVC Video Extensions Remote Code Execution Important Update Information Security Update CVE-2022-24453
HEVC Video Extensions Remote Code Execution Important Update Information Security Update CVE-2022-24452
HEVC Video Extensions Remote Code Execution Important Update Information Security Update CVE-2022-22007
HEVC Video Extensions Remote Code Execution Critical Update Information Security Update CVE-2022-22006
Windows Server 2012 R2 (Server Core installation) Denial of Service Important 5011564 Monthly Rollup CVE-2022-21973
HEVC Video Extensions Remote Code Execution Important Update Information Security Update CVE-2022-23301
Paint 3D Remote Code Execution Important Release Notes Security Update CVE-2022-23282
Windows Server 2016  (Server Core installation) Elevation of Privilege Important 5011495 Security Update CVE-2022-24505
Windows 10 Version 21H2 for x64-based Systems Elevation of Privilege Important 5011487 Security Update CVE-2022-23286

 

Adobe

Last but never least, Adobe released three security patches in March that plug holes in six CVEs in the following products:

  • Photoshop
  • Illustrator
  • After Effects

The patches for After Effects and Illustrator are rated Critical, both addressing buffer overflows. And the fix for Photoshop patches a memory leak, which is rated Important.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.

But that is it for another month and happy patching!