To close out 2022, December’s Patch Tuesday brings the fewest vulnerabilities fixed by Microsoft since June. Microsoft fixed a total of 56 vulnerabilities, 7 of which are critical and one of which is an actively exploited zero-day.
Hopefully, a lighter month will allow administrators to get some rest heading into the holiday season, though there are still a few vulnerabilities that are important to take care of before the end of December. Perhaps the most critical and wide-reaching vulnerability this month is a critical remote code execution flaw in PowerShell 7.2 and 7.3. Attackers are likely to target this weakness, though it does require additional preparation for the target environment prior to exploitation.
In addition to the PowerShell vulnerability, there’s an important privilege escalation vulnerability in Windows Bluetooth Driver that allows attackers to elevate to SYSTEM privileges on most versions of Windows 7, 8.1, 10, 11, and Server 2008-2022. It hasn’t been exploited in the wild as far as we know, but Microsoft notes it is likely to be targeted by threat actors.
There’s also an actively exploited zero day in Windows SmartScreen that allows for security feature bypass. Even though the vulnerability is only moderately severe according to Microsoft, you’ll want to patch it since threat actors are already targeting the vulnerability with social engineering attacks.
CVE-2022-41076 - Windows PowerShell Remote Code Execution - CRITICAL
CVE-2022-41076 is a remote code execution vulnerability with high attack complexity and no user interaction required. This vulnerability can be exploited when PowerShell improperly handles specially crafted files, aka "Microsoft PowerShell Remote Code Execution Vulnerability.”
PowerShell is a scripting tool in all major versions of Windows (as well as Linux and macOS). By running malicious scripts via PowerShell, bad actors can leverage any authenticated user to trigger this vulnerability and an authenticated attacker can then run unapproved commands on the target system. Often referred to as 'remotely exploitable,' this vulnerability can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g. across one or more routers).
Not only does this CVE impact the following software, but PowerShell 7.2 and 7.3 as well:
Windows 10 (32-bit) including versions 1607, 1809, 20H2, 21H1, 21H2, 22H2,
Windows 10 (x64-based Systems) including versions 1607, 1809, 20H2, 21H1, 21H2, 22H2,
Windows 10 (ARM64-based Systems) including versions 1809, 20H2, 21H1, 21H2, 22H2,
Windows 11 (x64-based Systems and ARM64-based Systems including versions 22H2)
Windows 8.1 (32-bit and x64-based Systems) and RT 8.1
Windows 7 (32-bit Systems Service Pack 1 and x64-based Systems Service Pack 1)
Windows Server 2022 (including Datacenter Azure Edition) 2019, 2016
Windows Server 2012 and 2012 R2
Windows Server 2008 (32-bit Systems Service Pack 2) and 2008 R2 (x64-based Systems Service Pack 2)
Automox recommends refreshing your systems with the latest Windows software changes as well as updating PowerShell to the most recent version. – Gina Geisel
CVE-2022-44675 - Windows Bluetooth Driver Elevation of Privilege Vulnerability - IMPORTANT
Elevation of privilege (also referred to as privilege escalation) is a vulnerability that allows an adversary to gain unauthorized access by elevating the access and execution permissions to carry out attacks on the system. At the same time, this vulnerability does not allow for remote code execution and requires the attacker to have device access and user permissions to execute code on the target system.
The vulnerability can occur because the application responsible is not imposing the security restrictions in the Windows Bluetooth Driver, which leads to security restrictions bypass and privilege escalation. As a result, any attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
The issue affects all versions of Windows and Servers, including older versions of Windows. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risk. – Preetham Gurram
CVE-2022-44698 - Windows SmartScreen Security Feature Bypass Vulnerability - MODERATE
CVE-2022-44698 is an actively exploited vulnerability in Windows SmartScreen that allows for security feature bypass. Although only moderately severe, scoring a CVSSv3.1 5.4/10, the vulnerability is currently being targeted by threat actors in social engineering attacks. Attackers need to coerce a user to open a specially crafted file, website, or other content that is designed to exploit the vulnerability by bypassing the Mark of the Web (MOTW) defenses.
The vulnerability is similar to CVE-2022-41091, also a zero day, fixed in last month’s Patch Tuesday. Neither fetched a particularly high CVSS score, though we recommend fixing it within 24 hours as a socially engineered user could potentially open malicious files that bypass Mark of the Web security features. Most versions of Windows 8.1, 10, and 11 are vulnerable, as well as Server 2012-2022. – Peter Pflaster
Thanks for untangling December Patch Tuesday with us! Happy Holidays from Automox.
Start your free trial now.
Get started with Automox in no time.
