December 2022 Patch Tuesday
‘Twas the Patch Tuesday before Christmas and all through the IT Department not a sys admin was idle, not even a junior analyst. The patches were queued up for deployment with care to respond to a zero-day and avoid breaking any applications that were there. On this twelfth (and last) Patch Tuesday of 2022 Microsoft and Mozilla have released updates.
Microsoft has resolved a total of 56 unique CVEs. Eight are revisions and 48 are net new CVEs. There is one zero-day vulnerability in the Windows OS and two publicly disclosed vulnerabilities you will want to be aware of.
Mozilla has resolved a total of 11 unique CVEs across Firefox, Firefox ESR and Thunderbird. In this update we will also highlight some recent threat actor activity observed using Ivanti Neurons for Risk-Based Vulnerability Management.
Ivanti Neurons for Risk-Based Vulnerability Management pulls from over 100 different sources of threat intelligence data. There were four new advisories in the past couple weeks based on activities detected by CSW, which is one of those many sources.
Many of the CVEs have been exploited since the vulnerabilities were originally discovered and updates were provided. Our guidance is to investigate each of these advisories to ensure you have mitigated or remediated each of them to reduce risk to your environments:
- November 28th Threat Advisory - "Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability exploited in the wild targeting CVE-2022-34721, which was resolved in the September 2022 Patch Tuesday release. Originally the CVE was not known to be exploited, but according to the advisory there is activity in at least one campaign referred to as “bleed you” targeting 1000+ systems still exposed by this vulnerability.
- December 1st Threat Advisory - "North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets." Researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group (aka APT37). The backdoor, referred to as Dolphin, includes a wide range of spying tools to capture data, credentials and exfiltrate the stolen information. The recent campaign is targeting a pair of older CVEs (CVE-2021-26411, CVE-2020-1380) that are still exposed on systems.
- December 8th Threat Advisory - "Internet Explorer 0-day exploited by North Korean actor APT37 aka ScarCruft." Also from APT37, this advisory is warning of continued activity around the IE zero-day CVE-2022-41128 resolved in November, CVE-2021-26411 and CVE-2020-1380. All three were confirmed zero-day vulnerabilities when they were first resolved.
- December 8th Threat Advisory - "Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities.” The botnet is targeting 17 CVEs across a variety of IoT devices from routers to cameras, firewalls, NAS devices and more. The full list can be found in the Fortinet blog post, but the list dates from eight more recent 2022 CVEs to an old 2014 CVE.
Microsoft resolved a Security Feature Bypass in Widows SmartScreen (CVE-2022-44698) that affects Windows 10, Server 2016 and later editions of the Windows OS and Server OS.
The CVE allows an attacker to craft a malicious file that would evade the Mark of the Web (MoTW) defenses to cause a loss of integrity and availability of security features such as Protected View in Microsoft Office, so a file download from the Internet would not be treated with additional scrutiny by reputation checks.
The CVE is rated as Moderate and has a CVSSv3.1 of 5.4/5.0. Organizations using traditional prioritization methods may deprioritize resolution of this CVE even though it is confirmed to be exploited.
Microsoft resolved an Elevation of Privilege vulnerability in DirectX Graphics Kernel (CVE-2022-44710). The vulnerability has been publicly disclosed which increases the risk of potential exploit. The vulnerability affects Windows 11 22H2 and requires the attacker to win a race condition – but if exploited, the attacker would gain system privileges on the affected system.
Microsoft updated information in the FAQ of a Microsoft Office Information Disclosure vulnerability originally resolved in October 2022 (CVE-2022-41043). The vulnerability only affects Microsoft Office for Mac.
December 2022 Patch Tuesday Priorities
- Microsoft OS updates affected by CVE-2022-44698 are at the top of the priority list this month. The OS updates for Windows 10 and 11 branches resolve a total of 26 CVEs including a pair of CVEs in the Print Spooler so make sure you have your pilot groups setup to test any critical applications.
- Update all browsers! Mozilla released security updates for Firefox as part of the December 13, 2022 Patch Tuesday lineup. Google Chrome also recently resolved a zero-day vulnerability in a November update.
- Review the CVEs in the four recent security advisories listed in earlier in this article and make sure zou have prioritized mitigation or remediation for the CVEs being targeted.
- Join us for the Ivanti Patch Tuesday Webinar on December 14, 2022, or catch the on-demand recording of the event as well as additional details from our infographic.