December 2022 Patch Tuesday sees Microsoft release patches to fix 49 flaws across its product suite, including fixes for two zero-day flaws, one of which is being actively exploited in the wild. Six of the vulnerabilities are rated critical, 40 are rated important, and 2 are moderate. 13 of the flaws have been rated as “more likely to be exploited”. Patches were also released to fix 24 vulnerabilities in Microsoft Edge earlier this month.
The actively exploited zero-day bug is tracked as CVE-2022-44698 and is a security bypass feature in Windows SmartScreen, which works with Microsoft’s Mark of the Web (MOTW) function that flags files downloaded from the Internet. The bug can be exploited when a user visits a maliciously crafted website or opens a malicious file delivered via email. The flaw is known to have been exploited in attacks distributing Magniber ransomware. While the flaw is being actively exploited, a proof-of-concept (PoC) exploit is not believed to be in the public domain.
The second zero-day bug is tracked as CVE-2022-44710 and is a privilege escalation vulnerability in the DirectX Graphics Kernel. This zero-day has been publicly disclosed before a patch was released but has not yet been exploited in the wild. The flaw could be exploited to gain SYSTEM privileges and is a race condition issue. Microsoft considers exploitation of this bug to be less likely.
The critical flaws affect Microsoft Office SharePoint (CVE-2022-44690 & CVE-2022-44693 – both have a CVSS score of 8.8), Windows Secure Socket Tunneling Protocol (CVE-2022-44670 & CVE-2022-44676 – both have a CVSS score of 8.1), Microsoft Dynamics (CVE-2022-41127 – CVSS 8.5), and Windows PowerShell (CVE-2022-41076 – CVSS 8.5). While all of these vulnerabilities are rated critical, Microsoft says exploitation is unlikely or less likely.
Apple has issued 9 advisories about security vulnerabilities across its suite of products, including an actively exploited zero-day bug. The zero-day bug is tracked as CVE-2022-42856 and is a type confusion issue in the WebKit browser engine that can be exploited to achieve arbitrary code execution by convincing a user to visit a specially crafted website. The flaw has been fixed in iOS, iPadOS, macOS, tvOS, and the Safari browser, although the bug has only been exploited on iPhones prior to iOS version 15.1.
MacOS Ventura 13.1 includes patches to fix 36 vulnerabilities, macOS Big Sur 11.7.2 fixes 10 vulnerabilities, and macOS Monterey 12.6.2 has fixes for 13 bugs. iOS 16.2 and iPadOS 16.2 have had 33 issued fixed, and 17 issues have been fixed in iOS 15.7.2 and iPadOS 15.7.2. tvOS 16.2 includes fixes for 26 bugs, watchOS 9.2 includes 23 fixes, Safari 16.2 gets fixes for 8 issues, iCloud for Windows 14.1 gets 3
Adobe has released patches to fix 38 vulnerabilities across its product suite on December 2022 Patch Tuesday, with the bugs consisting of remote code execution, memory leaks, security bypass issues, and privilege escalation flaws.
Adobe’s enterprise content management tool, Adobe Experience Manager (AEM), received the bulk of the patches, with 33 CVE’s fixed, which include two security bypass flaws and 31 remote code execution flaws with CVSS v3 severity scores ranging from 3.5 to 5.4. Adobe Illustrator received patches for four CVEs, all of which were memory leak issues and were rated important with CVSS v3 severity scores of 5.5. Adobe Campaign has a fix released for a single privilege escalation flaw that was rated important.