Microsoft's Patch Tuesday for December included fixes for 48 vulnerabilities, including two zero days and seven critical flaws.
The two addressed zero-day vulnerabilities are CVE-2022-44698 and CVE-2022-44710. First disclosed Tuesday, CVE-2022-44698 impacts anti-phishing and anti-malware tool Windows SmartScreen and has been exploited in the wild.
The flaw, which has a CVSS 3.1 base score of 5.4, lets an attacker create a malicious folder that can avoid file security feature Mark of the Web (MOTW) and cause "limited loss of integrity and availability of security features such as Protected View in Microsoft Office," Microsoft said. Windows' MOTW feature flags files and documents from untrusted sources.
Ivanti vice president of product management Chris Goettl told TechTarget Editorial said that the main purpose of this flaw is bypassing the reputation check and delivering a phishing prompt more easily.
"The danger of this flaw is that especially as the fact that an attacker could host this on a website or send it as an email and instant message," he said. "They really just have to creatively convince a user to click on whatever they've crafted up. And as we all know, that's not too difficult. It's more of a just a statistical challenge."
The second fixed zero-day vulnerability was CVE-2022-44710, a privilege escalation flaw in the DirectX graphics kernel. It has a CVSS 3.1 base score of 7.8 and requires an attacker to win a race condition to exploit. While CVE-2022-44710 is not under exploitation in the wild, details of the vulnerability were disclosed prior to the release of the patch on Tuesday.
Goettl said this vulnerability could result in a threat actor gaining kernel-level privileges. But it is also difficult to pull off.
"The conditions have to be right. But it's definitely a vulnerability that could be seen coming up in an attack chain where you have a few different vulnerabilities together and create a way for that attacker to get everything they need," he said.
Alongside the zero days were several notable flaws. Two high-severity remote code execution (RCE) flaws in Microsoft SharePoint Server, CVE-2022-44690 and CVE-2022-44693, were fixed. Both were granted CVSS 3.1 scores of 8.8 -- a lower score for an RCE attack because Microsoft considered exploitation to be "less likely."
PowerShell also saw an RCE vulnerability, CVE-2022-41076, which was given a CVSS score of 8.5. Microsoft said exploitation was "more likely" with the flaw and that any authorized user account can exploit it. PowerShell threats are generally considered highly serious because they provide kernel-level access.
Goettl told TechTarget Editorial that December was more of a "low-key" Patch Tuesday. But it provided several takeaways for the vulnerabilities that were disclosed, including those from other software makers. One of which was to prioritize keeping browser security up to date, noting a number of bugs fixed in Mozilla browsers Tuesday and recent zero-days from Google Chrome.
"Browser-based vulnerabilities are some of the easier to target," Goettl said. "It is always good to just make sure your browsers are as up to date as possible whenever they've got a maintenance window coming around."
Another takeaway Goettl offered was that many organizations are worried about threat activity being increasingly targeted at timeframes when fewer personnel are present, such as holidays. He said organizations should move from a "solve everything" approach to one that addresses that organization's very specific risks.
"It's not a numbers game. It's a conversation about what will reduce risk," he said. "I think that's the biggest thing. Focus on the risks."
Alexander Culafi is a writer, journalist and podcaster based in Boston.