Microsoft has released 51 patches on February 2022 Patch Tuesday to fix vulnerabilities, including one zero-day bug. There are considerably fewer patches than in recent months when over 100 patches a month has been the norm; that said, Microsoft did release around 20 patches to fix vulnerabilities in the Chromium-based Microsoft Edge browser earlier this month. None of this month’s patches are critical issues – All have been rated important.
This month’s patches address vulnerabilities in Azure Data Explorer, Kestrel Web Server, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office, Microsoft Office Components, Microsoft Teams, SQL Server, Visual Studio Code, Windows Hyper-V Server, Windows, Windows Codecs Library, and Windows Components.
The zero-day bug – CVE-2022-21989 – is a flaw in Windows Kernel and is an elevation-of-privilege issue that has a CVSS score of 7.8. None of this month’s vulnerabilities are believed to have been exploited in the wild, and while the zero-day bug has been rated as exploitation more likely, the complexity of exploiting the vulnerability will limit its usefulness to hackers.
Patches Released to Fix 17 Vulnerabilities in Adobe Products
Adobe released 17 patches on February 2022 Patch Tuesday to fix vulnerabilities in its products, with 13 of the patches addressing bugs in its vector graphics software, Adobe Illustrator. Patches have also been released to fix a single vulnerability in each of the following products: Adobe Premiere Rush, Adobe Photoshop, Adobe After Effects, and Adobe Creative Cloud Desktop.
The Adobe Illustrator bugs affect both the Windows and macOS versions and were discovered by security researchers at Fortinet. Two of the bugs are arbitrary code execution issues and have been rated critical, with CVSS severity scores of 7.8 – CVE2022-23188 & CVE-2022-23186.
7 flaws have been rated important with CVSS scores of 5.5, 6 of which are memory leak issues (CVE-2022-23190, CVE-2022-23191, CVE-2022-23192, CVE-2022-23193, CVE-2022-23194, CVE-2022-23195) with one application denial-of-service bug (CVE-2022-23189). The remaining 4 vulnerabilities have been rated moderate with CVSS scores of 3.3 (CVE-2022-23196, CVE-2022-23197, CVE-2022-23198, CVE-2022-23199).
A critical vulnerability has been patched in each of Adobe Photoshop (CVSS 7.8 – CVE-2022-23203), Adobe After Effects (CVSS 7.8 – CVE-2022-23200), Adobe Creative Cloud Desktop (CVSS 7.0 – CVE-2022-23202), all of which allow arbitrary code execution, and a moderate-severity privilege escalation bug has been patched in Adobe Premiere Rush (CVE-2022-23204).
All of the Adobe vulnerabilities have been given a patching priority of 3, as they are not typically products that are targeted by hackers; however, prompt patching is still recommended.