Microsoft has patched 48 new flaws in its products, including one that attackers are currently employing as well as one that has been made public but is not currently being actively used by attackers.
In its final monthly security update of the year, the business addressed six vulnerabilities, six of which are significant. 43 vulnerabilities received a significant severity rating, while three problems received a moderate severity grade.
The update from Microsoft fixes 23 vulnerabilities in Google's Chromium browser technology, which Microsoft's Edge browser is built on, as well as out-of-band CVEs that it fixed over the past month.
Exploiting a security vulnerability
CVE-2022-44698, the vulnerability that attackers are actively attempting to exploit, is not one of the more serious issues for which Microsoft today issued updates. The vulnerability enables attackers to get around Windows SmartScreen, a security feature that guards users against dangerous files downloaded from the Internet.
"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft explained.
According to Kevin Breen, director of cyber-threat research at Immersive Labs, CVE-2022-44698 only poses minimal danger to enterprises. "It has to be used in partnership with an executable file or other malicious code like a document or script file. In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe."
At the same time, Breen advises users to rapidly repair the problem and not undervalue the threat.
Another vulnerability, is an elevation of privilege problem in the DirectX Graphics kernel, as defined by Microsoft as a publicly known zero-day but not yet being actively exploited. The company rated the vulnerability (CVE-2022-44710) as having an "important" degree of severity and one that, if abused, would provide an attacker system-level privilege. The business did note that attackers are less likely to take advantage of the weakness.
Current vulnerabilities to patch
Three additional severe vulnerabilities were identified by Trend Micro's ZDI in the December Patch Tuesday security update: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.
A spoofing flaw in Microsoft Outlook for Mac is CVE-2022-44713. Due to the flaw, an attacker might impersonate a trusted user and trick a victim into believing that an email was sent by one of them.
ZDI's head of threat awareness Dustin Childs wrote in a blog post, "we don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice.” When coupled with the previously disclosed SmartScreen MoTW bypass issue that attackers are actively using, the vulnerability might prove particularly problematic.
A PowerShell remote code execution (RCE) flaw known as CVE-2022-41076 enables an authenticated attacker to bypass the PowerShell Remoting Session Configuration and execute arbitrary commands on a vulnerable system, Microsoft added.
Despite the fact that the attack complexity is considerable, the organization determined that the vulnerability is one that attackers are more likely to exploit. Organizations should be aware of the vulnerability, according to Childs, because it is the kind of issue that hackers frequently use to "live off the land" after getting initial access to a network.
Uncertain bug count
It's interesting to note that various manufacturers' opinions on the number of vulnerabilities that Microsoft patched this month varied. For example, ZDI estimated that Microsoft patched 52 vulnerabilities; Talos estimated 48; SANS estimated 74, and Action1 initially estimated 74 before reducing it to 52.
The problem, according to Johannes Ullrich, dean of research at the SANS Technology Institute, has to do with the various methodologies used to count vulnerabilities. For instance, while some count Chromium vulnerabilities, others do not.
Security advisories that occasionally accompany Microsoft upgrades are also listed by others, such as SANS, as vulnerabilities. Some researchers do not include the patches that Microsoft occasionally distributes throughout the month and included them in the next Patch Tuesday update.
"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third-party vendors," Breen added. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."
Since the last Patch Tuesday in November, 74 vulnerabilities, according to Breen, have been fixed. For the Edge browser, there are 51 from Microsoft and 23 from Google.
"If we exclude both the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities were released today," he concluded.
A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.
