- A pretty busy month for a Microsoft Patch Tuesday release, with 71 CVEs.
- Out of all the CVEs, 68 were marked as important, and none as moderate.
- However, the Redmond tech giant had to deal with three nasty Critical bugs.
- We've included each and everyone in this article, with direct links as well.
It’s that time of the month again, and everyone is looking towards Microsoft, in hopes that some of the flaws they’ve been struggling with will finally get fixed.
We’ve already provided the direct download links for the cumulative updates released today for Windows 10 and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.
In terms of heft, this month’s release coincides with Merch releases from previous years, which are usually around 60-70 CVEs.
Let’s dive right into it and see what vulnerabilities are completely gone from our lives, now that these patches are live.
Three critical bugs dealt with this month
For the third month of 2022, Microsoft released 71 new patches. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.
So, the 71 new patches that became available today address CVEs in:
- .NET and Visual Studio
- Azure Site Recovery
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Intune
- Microsoft Office Visio
- Microsoft Office Word
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Paint 3D
- Role: Windows Hyper-V
- Skype Extension for Chrome
- Tablet Windows User Interface
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows CD-ROM Driver
- Windows Cloud Files Mini Filter Driver
- Windows COM
- Windows Common Log File System Driver
- Windows DWM Core Library
- Windows Event Tracing
- Windows Fastfat Driver
- Windows Fax and Scan Service
- Windows HTML Platform
- Windows Installer
- Windows Kernel
- Windows Media
- Windows PDEV
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Desktop
- Windows Security Support Provider Interface
- Windows SMB Server
- Windows Update Stack
- XBox
What’s also important to mention is that, out of the 71 CVEs released today, three are rated Critical and 68 are rated Important in severity.
The number of Critical-rated patches is again strangely low for this number of bugs, according to experts and some of the more tech-savvy users.
Furthermore, it is still uncertain if this low percentage of bugs is just a coincidence or if Microsoft might be evaluating the severity using different calculus than in the past.
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2022-24512 | .NET and Visual Studio Remote Code Execution Vulnerability | Important | 6.3 | Yes | No | RCE |
CVE-2022-21990 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8.8 | Yes | No | RCE |
CVE-2022-24459 | Windows Fax and Scan Service Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | EoP |
CVE-2022-22006 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-23277 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical | 8.8 | No | No | RCE |
CVE-2022-24501 | VP9 Video Extensions Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2022-24508 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-21967 | Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-24464 | .NET and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2022-24469 | Azure Site Recovery Elevation of Privilege Vulnerability | Important | 8.1 | No | No | EoP |
CVE-2022-24506 | Azure Site Recovery Elevation of Privilege Vulnerability | Important | 6.5 | No | No | EoP |
CVE-2022-24515 | Azure Site Recovery Elevation of Privilege Vulnerability | Important | 6.5 | No | No | EoP |
CVE-2022-24518 | Azure Site Recovery Elevation of Privilege Vulnerability | Important | 6.5 | No | No | EoP |
CVE-2022-24519 | Azure Site Recovery Elevation of Privilege Vulnerability | Important | 6.5 | No | No | EoP |
CVE-2022-24467 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24468 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24470 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24471 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24517 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24520 | Azure Site Recovery Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2020-8927 * | Brotli Library Buffer Overflow Vulnerability | Important | 6.5 | No | No | N/A |
CVE-2022-24457 | HEIF Image Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-22007 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23301 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24452 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24453 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24456 | HEVC Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-21977 | Media Foundation Information Disclosure Vulnerability | Important | 3.3 | No | No | Info |
CVE-2022-22010 | Media Foundation Information Disclosure Vulnerability | Important | 4.4 | No | No | Info |
CVE-2022-23278 | Microsoft Defender for Endpoint Spoofing Vulnerability | Important | 5.9 | No | No | Spoofing |
CVE-2022-23266 | Microsoft Defender for IoT Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-23265 | Microsoft Defender for IoT Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2022-24463 | Microsoft Exchange Server Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
CVE-2022-24465 | Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability | Important | 3.3 | No | No | SFB |
CVE-2022-24461 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24509 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24510 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-24511 | Microsoft Office Word Tampering Vulnerability | Important | 5.5 | No | No | Tampering |
CVE-2022-24462 | Microsoft Word Security Feature Bypass Vulnerability | Important | 5.5 | No | No | SFB |
CVE-2022-23282 | Paint 3D Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23253 | Point-to-Point Tunneling Protocol Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2022-23295 | Raw Image Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23300 | Raw Image Extension Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23285 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-24503 | Remote Desktop Protocol Client Information Disclosure Vulnerability | Important | 5.4 | No | No | Info |
CVE-2022-24522 | Skype Extension for Chrome Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2022-24460 | Tablet Windows User Interface Application Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-24526 | Visual Studio Code Spoofing Vulnerability | Important | 6.1 | No | No | Spoofing |
CVE-2022-24451 | VP9 Video Extensions Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2022-23283 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-23287 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-24505 | Windows ALPC Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-24507 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-24455 | Windows CD-ROM Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-23286 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-23281 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-23288 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-23291 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-23294 | Windows Event Tracing Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2022-23293 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-24502 | Windows HTML Platforms Security Feature Bypass Vulnerability | Important | 4.3 | No | No | SFB |
CVE-2022-21975 | Windows Hyper-V Denial of Service Vulnerability | Important | 4.7 | No | No | DoS |
CVE-2022-23290 | Windows Inking COM Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-23296 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-21973 | Windows Media Center Update Denial of Service Vulnerability | Important | 5.5 | No | No | DoS |
CVE-2022-23297 | Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2022-23298 | Windows NT OS Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-23299 | Windows PDEV Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-23284 | Windows Print Spooler Elevation of Privilege Vulnerability | Important | 7.2 | No | No | EoP |
CVE-2022-24454 | Windows Security Support Provider Interface Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2022-24525 | Windows Update Stack Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2022-0789 | Chromium: Heap buffer overflow in ANGLE | High | N/A | No | No | RCE |
CVE-2022-0797 | Chromium: Out of bounds memory access in Mojo | High | N/A | No | No | RCE |
CVE-2022-0792 | Chromium: Out of bounds read in ANGLE | High | N/A | No | No | RCE |
CVE-2022-0795 | Chromium: Type Confusion in Blink Layout | High | N/A | No | No | RCE |
CVE-2022-0790 | Chromium: Use after free in Cast UI | High | N/A | No | No | RCE |
CVE-2022-0796 | Chromium: Use after free in Media | High | N/A | No | No | RCE |
CVE-2022-0791 | Chromium: Use after free in Omnibox | High | N/A | No | No | RCE |
CVE-2022-0793 | Chromium: Use after free in Views | High | N/A | No | No | RCE |
CVE-2022-0794 | Chromium: Use after free in WebShare | High | N/A | No | No | RCE |
CVE-2022-0800 | Chromium: Heap buffer overflow in Cast UI | Medium | N/A | No | No | RCE |
CVE-2022-0807 | Chromium: Inappropriate implementation in Autofill | Medium | N/A | No | No | Info |
CVE-2022-0802 | Chromium: Inappropriate implementation in Full screen mode | Medium | N/A | No | No | Info |
CVE-2022-0804 | Chromium: Inappropriate implementation in Full screen mode | Medium | N/A | No | No | Info |
CVE-2022-0801 | Chromium: Inappropriate implementation in HTML parser | Medium | N/A | No | No | Tampering |
CVE-2022-0803 | Chromium: Inappropriate implementation in Permissions | Medium | N/A | No | No | SFB |
CVE-2022-0799 | Chromium: Insufficient policy enforcement in Installer | Medium | N/A | No | No | SFB |
CVE-2022-0809 | Chromium: Out of bounds memory access in WebXR | Medium | N/A | No | No | RCE |
CVE-2022-0805 | Chromium: Use after free in Browser Switcher | Medium | N/A | No | No | RCE |
CVE-2022-0808 | Chromium: Use after free in Chrome OS Shell | Medium | N/A | No | No | RCE |
CVE-2022-0798 | Chromium: Use after free in MediaStream | Medium | N/A | No | No | RCE |
Keep in mind that none of the bugs is listed as under active exploit this month, while three are listed as publicly known at the time of release.
These are all the CVEs addressed with this month’s Patch Tuesday release. Overall, this was a pretty hefty but secure month, compared to previous situations.
The next Patch Tuesday batch of software will come on April 12 and we’re all curious to see what Microsoft comes up with until then.
Let’s all hope that we won’t have to deal with critical problems, and that’s it will only be smooth sailing from now on.
Was this article helpful to you? Share your opinion in the comments section below.
ncG1vNJzZmivmaOxsMPSq5ypp6Kpe6S7zGinmqyTnXq1wcSsm5qxXaKus6%2FHZmlpamJk