Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
February 2022 Overview
General Overview - Eric Feldman
Let’s begin February’s Patch Tuesday review with a trivia question. What do King James I of England and Microsoft have in common?
The answer is simple. Legend has it that the good King way back in the year 1616 originated the phrase "No News is Good News," more or less. And that phrase is a perfect summary for February Patch Tuesday news from Microsoft.
I am happy to let everyone know that we have zero critical vulnerabilities from Microsoft to report. In addition, there are zero exploited vulnerabilities across any severity level. I asked several of our security experts about the frequency of any month without a critical vulnerability to remediate, and not one of them could recall any in recent memory.
There were, however, 48 total vulnerabilities, all of which are rated "high," and one was publicly disclosed. That means that ITOps and SecOps teams will have some remediation work this month, with less urgency.
Microsoft's 48 vulnerabilities is a 50% drop from January's total, and a 36% reduction of the 12 month rolling average.
Two vulnerability types made up the majority of February's total. 33% of the February vulnerabilities were "Elevation of Privilege," meaning an attacker could change their access rights, for example from "read only" to "read and write." Another 33% of vulnerabilities were "Remote Code Execution" that allows an attacker to remotely execute malicious code on a computer.
Please pay attention to the Samba vulnerability outlined below. This one has a CVSS score of 9.9, and requires immediate attention.
Rounding out this month are updates from Google Chrome, Adobe, and a few updates from Apple.
And remember, Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those highlighted this month.
-Eric Feldman, Senior Product Marketing Manager
Critical Vulnerability Breakdown
Justin Knapp - CVE-2022-21989 - Windows Kernel Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2022-21989 is an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. This could potentially enable an attacker to install programs; view, change, or delete data; or create accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application to take control of the system. In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. Given the higher likelihood of exploitation and the fact that elevation of privilege vulnerabilities are often an important step in the cyber kill chain, we recommend prioritizing and patching immediately.
Jay Goodman - Samba - CVE-2021-44142 - Samba Virtual File System Out-of-bounds heap read/write vulnerability - Critical
A CVSS 9.9 critical vulnerability in the Samba platform surfaced. The vulnerability, CVE-2021-44142 is an out-of-bounds heap read/write vulnerability in the VFS module called “vfs_fruit”. The vulnerability impacts all versions of Samba prior to 4.13.17 and can be found in Red Hat, SUSE Linux and Ubuntu packages. Samba is a suite of tools that allow Windows and Linux to work together and share file or printer services with multi-platform devices on a single network. The vulnerability allows an attacker to remotely execute code with root privileges on impacted servers. This allows the adversary to read, modify or delete files, query users, or install malware on the target system. This vulnerability is similar to SambaCry in 2017 that also targeted Samba. This vulnerability is likely more critical as it does not require valid credentials to a writable share like SambaCry required, making it an easier vulnerability to use as a springboard within the network.
Apple
On January 26, Apple released a number of updates that address security issues and provide additional functionality. iOS 15.3 and iPadOS 15.3, macOS Monterey 12.2, macOS Big Sur 11.6.3, Security Update 2022-001 for macOS Catalina, tvOS 15.3, Safari 15.3, and watchOS 8.4 are now available. While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS. - Eric Feldman
Google released Chrome 98.0.4758.80/81/82 for Windows and Chrome 98.0.4758.80 for macOS and Linux to patch 27 vulnerabilities, 19 of which were reported by outside researchers. Google pays a reward to researchers that discover vulnerabilities, and the two that carried the highest reward are CVE-2022-0452 and CVE-2022-0453, both use-after-free vulnerabilities with a $20,000 payment for each. A use-after-free vulnerability enables malicious code substitution attacks that can lead to data corruption, program crashes, and arbitrary code execution. In all, 10 of the 19 externally reported vulnerabilities are use-after-free issues at various criticality levels. Some of the risks of these vulnerabilities can be mitigated by always ensuring that Chrome is run as a non-privileged user (without administrative privileges). Nonetheless, Automox recommends upgrading to Chrome version 98.0.4758.80 as soon as possible. - Aleks Haugom
Adobe
Adobe released several updates for Premiere Rush, Illustrator, Photoshop, After Effects, and Create Cloud Desktop. All of the affected applications this month are rated Priority 3 by Adobe, indicating that the vulnerable applications have not historically been a target for attackers, and administrators should update at their discretion. Photoshop, After Effects, Illustrator, and Creative Cloud Desktop all had critical vulnerabilities that may allow arbitrary code execution in the current user context if exploited on Windows and macOS systems.
If your organization utilizes Photoshop, After Effects, Illustrator, or Creative Cloud Desktop on Windows or macOS systems, we recommend patching after higher priority application patches are applied. - Peter Pflaster
Automox for Easy IT Operations
Automox is cloud-native IT operations for the modern distributed workforce. It makes it easy to keep every endpoint up to date automatically across Windows, macOS and Linux – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities, power workforce productivity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.
