Microsoft has released this month’s score of patches for Windows security flaws, fixing a bug found in February that prevented some users from erasing all their files after a system reset.
The Windows manual reset option is designed to effectively restore a device to its factory-shipped settings, removing user data. Microsoft published a workaround at the time, but the updates to Windows 11 and Windows 10 released on Tuesday will eliminate the bug, though Microsoft did say it may take up to seven days for the changes to take effect.
A total of 92 vulnerabilities were patched across Windows and other Microsoft products, including three critical-rated remote code execution (RCE) vulnerabilities and three security feature bypass flaws.
Two of the critical-rated flaws affected Video Extensions for advertisements, tracked as CVE-2022-24501 and CVE-2022-22006, and both were able to be exploited to achieve RCE with a ‘low’ attack complexity.
In both cases, an attacker would need to convince a user to download a specially crafted file that would lead to a crash. Successful attackers would also need local access to a victim’s machine, either via its mouse and keyboard or a secure shell connection (SSH).
The other critical flaw, tracked as CVE-2022-23277, is a remote code execution vulnerability in Microsoft Exchange Server with a low degree of attack complexity and low privileges required to exploit. In all three cases, there is no known exploit code available, but patching is still recommended, especially for security vulnerabilities of this severity.
“The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server,” said Greg Wiseman, lead product manager at Rapid7.
“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.
A total of 29 RCE vulnerabilities were addressed in Microsoft’s March ‘Patch Tuesday’, and three of the total 92 flaws had been previously disclosed.
RELATED RESOURCE
Successful WAN and security transformation powers the digital enterprise
Applications are delivered in the cloud - security should be too
Of these three previously known issues, both CVE-2022-21990 and CVE-2022-24459, RCE and privilege escalation vulnerabilities respectively, have known proofs-of-concept (PoC) available but no exploitation has been observed in the wild.
The final known vulnerability was an RCE flaw affecting .NET and Visual Studio; this has also now been patched but no PoC code is thought to have been developed, Microsoft said. It would be difficult to exploit this vulnerability alone, and would be more likely used as part of a chained attack, it added.
Other vulnerabilities such as privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing flaws were also found across Microsoft’s products. All updates are available in the Microsoft Update Catalog now.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
