Microsoft has provided patches to fix 71 vulnerabilities on March 2022 Patch Tuesday, including 3 critical bugs, 68 important issues, and three flaws that have been publicly disclosed before a patch was released. None of the vulnerabilities are believed to have been exploited in the wild at the time the patches were released.
The critical flaws affect HEVC Video Extensions – CVE-2022-22006 (CVSS 7.8), VP9 Video Extensions (CVSS 7.8), and Microsoft Exchange Server – CVE-2022-23277 (CVSS 8.8). The first two bugs could be exploited if a user is convinced to download and run a specially crafted file and could cause a crash. The Exchange Server vulnerability is due to the server failing to correctly handle objects in the memory and could be exploited through a network call. While this is a post-authentication vulnerability, Microsoft has rated the flaw as exploitation more likely.
The three publicly disclosed zero-days affect Remote Desktop Client – CVE-2022-21990 – (CVSS 8.8), .NET and Visual Studio – CVE-2022-24512 (CVSS 6.3), and Windows Fax and Scan Service (CVE-2022-24459 (CVSS 7.8). Proof-of-Concept exploits are in the public domain for the first two of these flaws. While rated Important, the CVE-2022-24508 remote code execution vulnerability in Windows SMBv3 Client/Server should also be prioritized as it is likely to be targeted by cyber actors.
Adobe Fixes 5 Critical Flaws on March 2022 Patch Tuesday
Adobe released updates to fix six vulnerabilities across its product range on March 2022 Patch Tuesday, including five critical flaws and one rated important.
Adobe After Effects received patches to fix four critical-rated (CVSS 7.8) stack-based buffer overflow vulnerabilities that could lead to remote code execution (CVE-2022-24094, CVE-2022-24095, CVE-2022-24096, and CVE-2022-24097).
A critical buffer overflow vulnerability that could lead to arbitrary code execution has been fixed in Adobe Illustrator (CVE-2022-23187 – CVSS 7.8) and a fix has been issued for an important-rated memory leak issue in Adobe Photoshop (CVE-2022-24093 – CVSS 5.5).