Microsoft has released fixes for a relatively small number of CVEs this month, with only three critical bugs and three publicly disclosed flaws in the Patch Tuesday roundup.
None of the three zero days have been exploited in the wild. They include CVE-2022-24512, a remote code execution (RCE) vulnerability in .NET and Visual Studio.
“According to Microsoft, this vulnerability requires ‘under interaction’ to exploit, meaning that an attacker would likely need to upload a payload to a vulnerable system and then execute it remotely, rather than attacking the service directly,” explained Recorded Future senior security architect, Allan Liska.
“This is likely why Microsoft has assigned it a criticality level of ‘Important’ and rated it as ‘exploitation less likely.’”
Another zero-day patched this month is CVE-2022-24459, an elevation of privilege vulnerability in Microsoft’s Fax and Scan Service, which is also rated “exploitation less likely.”
The final one is CVE-2022-21990, another RCE bug but this time in the Remote Desktop Client and rated “exploitation more likely.”
It’s one of three CVEs this month impacting the remote desktop protocol (RDP), which has been heavily targeted during the pandemic.
“With the increase in remote working driving the expansion of the attack surface presented by RDP, a trio of RCE vulnerabilities affecting this protocol should be on security teams’ radar,” argued Kev Breen, director of cyber-threat research at Immersive Labs.
“CVE-2022-23285, CVE-2022-21990 and CVE-2022-24503 are a potential concern especially as this infection vector is commonly used by ransomware actors. While exploitation is not trivial, requiring an attacker to set up bespoke infrastructure, it still presents enough of a risk to be a priority.”
Breen also flagged critical vulnerability CVE-2022-23277 as a priority.
“While requiring authentication, this vulnerability affecting on-premises Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email,” he said.