Two Zero-Days Fixed in December Patch Tuesday

The final Microsoft Patch Tuesday of 2022 addressed nearly a half century of vulnerabilities including two zero-days, one of which is being exploited in the wild.

A handful of the bugs are rated “critical” while 13 are described by Microsoft as “more likely to be exploited,” meaning there’s still plenty of work to do for sysadmins at the end of the year.

The zero-day that is currently being exploited is CVE-2022-44698 – a security feature bypass vulnerability in Windows SmartScreen. This tool works with the vendor’s Mark of the Web (MOTW) functionality which flags files downloaded from the internet, according to Satnam Narang, senior staff research engineer at Tenable.

“This vulnerability can be exploited in multiple scenarios, including through malicious websites and malicious attachments delivered over email or messaging services,” he added.

“They require a potential victim to visit the malicious website or open a malicious attachment in order to bypass SmartScreen.”

However, the proof-of-concept code for the bug is not thought to have been publicly disclosed as yet.

The second zero-day is CVE-2022-44710 – an elevation of privilege vulnerability in the DirectX Graphics Kernel which was publicly disclosed prior to a patch becoming available, but is not yet being exploited.

“It is considered to be a flaw that is less likely to be exploited based on Microsoft’s Exploitability Index,” confirmed Narang.

Mike Walters, VP of vulnerability and threat research at Action1, pointed to critical PowerShell vulnerability CVE-2022-41076 as worthy of attention. It affects all Windows OS versions from Windows 7 and Windows Server 2008 R2 on.

“This critical vulnerability has a high CVSS risk score of 8.5, because any authenticated user can trigger the vulnerability and run unapproved PowerShell commands execution in the target system, even though the exploitation does require some preparation from the attacker,” Walters explained.

CVE-2022-44693 is a critical remote code execution vulnerability in SharePoint with a CVSS score of 8.8. Crucially it’s of low complexity and requires no privilege escalation.

“To exploit it, attackers only need access to the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default,” warned Walters.

“This vulnerability does not require user interaction; once attackers get the appropriate credentials, they can execute code remotely on a target SharePoint server.”

Editorial credit icon image: Paolo Bona / Shutterstock.com