Tune in as our team of security experts dive into critical information you need to know. We're unpacking critical vulnerabilities, recapping Microsoft patch Tuesday, highlighting zero-days and other patch information, and much more.
Microsoft (MS) announces Office users will no longer be able to enable VBA (Visual Basic for Applications, a programming language used to create macros) macros with a click of a button after the change rolls out in April 2022. A huge win for organizations and home users alike, a new Security Risk banner will inform users that MS has blocked macros downloaded from the Internet. MS provides further information about the security risks of macros, safe practices, and instructions on a support page. (NOTE that the support page link will appear as the actual Microsoft warning landing page that reads, “A potentially dangerous macro has been blocked”). VBA macros embedded in malicious Office documents are very popular among phishing and malware attacks.
The February 2022 Patch Tuesday released by Microsoft includes 48 security fixes (not to include 22 MS Edge vulnerabilities) and one (1) zero-day vulnerabilities, with none of them classified as 'Critical'. Although none of the disclosed vulnerabilities are being actively exploited in the wild, they likely will be exploited by threat actors soon. The following types of vulnerabilities are listed below:
- 16 Elevation of Privileges
- 16 Remote Code Executions
- 5 Denial of Services
- 5 Information Disclosures
- 3 Security Bypasses
- 3 Spoofing
- 22 Edge/Chromium
The lone zero-day vulnerability (CVE-2022-21989) has a base Common Vulnerability Scoring System (CVSS) of 7.8 and can be exploited to escalate privileges in the kernel. It is not rated 'Critical' because MS says the exploit requires an attacker to take further actions prior to exploitation to prep the environment.
The following common vulnerability and exploits (CVEs) are notable from this month's patching:
- CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability: This patch fixes a remote code execution (RCE) bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this set up in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as critical.
- CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability: “This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target’s IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.”
- CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability: “This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as high here, stating an attacker, ‘must prepare the target environment to improve exploit reliability.’ Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a critical update.”
- CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability: “This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need ‘Manage Lists’ permissions to exploit this, by default, authenticated users can create their sites and, in this case, the user will be the owner of this site and will have all necessary permissions.”
In January 2022 Patch Tuesday, MS released a series of out-of-band (OOB) updates to address multiple issues related to an Active Directory bug, Domain Controllers restarting, VPN connectivity issues, Virtual Machines failing to start, and ReFS media failures. The Knowledge Base (KB)s can be found here for further information and fixes.
Additional vendors have released security advisories as well and are listed below:
- Vmware security advisories
- Intel security updates
- Adobe security updates
- SAP security updates
Despite the lack of 'Critical' rated vulnerabilities, Cyber Advisors strongly recommends applying patches as soon as possible and advises considering backups prior to testing and deploying patches. Best practices are to test and deploy patches in non-production environments before pushing patches to Production.
Resources:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2022-patch-tuesday-fixes-48-flaws-1-zero-day/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-plans-to-kill-malware-delivery-via-office-macros/
- https://www.zdnet.com/article/microsoft-february-2021-patch-tuesday-48-bugs-squashed-one-zero-day-resolved/
- https://msrc.microsoft.com/update-guide/releaseNote/2022-Feb
- https://threatpost.com/microsoft-february-patch-tuesday-zero-day/178286/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/