Microsoft’s security update for February did not include any critical vulnerabilities — a rarity. But there are still plenty of serious vulns in the update to merit immediate attention, security experts said this week.
Among the biggest concerns are a Windows DNS Server remote code execution (RCE) vulnerability (CVE-2022-21984), a Windows 32K elevation of privileges flaw (CVE-2022-21989), an RCE in SharePoint server (CVE-2022-22005), and a set of four vulnerabilities in the company’s perennially insecure Windows Print Spooler technology, one of which already has an exploit.
The vulnerabilities are among a set of 51 flaws that Microsoft patched this week. That made it one of the smaller monthly security updates that Microsoft has released in a while. Last month’s rollout, for instance, contained fixes for 96 vulnerabilities, while the one in December had patches for 67 flaws, including one for a zero-day flaw that was being used to spread Emotet ransomware.
“This month had no critical-rated bugs for the first time in quite a while,” says Dustin Childs, communications manager at Trend Micro’s ZDI. “Of the 51 patches, 50 are rated Important and one is Moderate,” he notes.
Childs identified CVE-2022-21984, the RCE flaw in Windows DNS Server, as a vulnerability that organizations should patch on a priority basis, especially if they have dynamic updates enabled.
“DNS servers are one of the ‘crown jewels’ of an enterprise and make for attractive targets,” he says.
Microsoft’s description of the vulnerability itself — as with all vulnerabilities the company discloses these days — offered little information on the nature of the flaw or the threat it might pose for organizations. The company merely described the vulnerability as having a high impact on the confidentiality, integrity, and availability of data if exploited. Exploiting the flaw involves little attack complexity, low privileges, and no user interaction, Microsoft said.
“The DNS vulnerability is a big deal simply because it is the DNS server,” says Tyler Reguly, manager of security R&D at Tripwire. “Unfortunately, this is a case where Microsoft’s regression from old-style informative bulletins to the cryptic guidance we get today makes it difficult to understand exactly where the concern is.”
More Print Spooler ‘Nightmares’
Security experts also advise that organizations quickly apply the patches that Microsoft released this week for a set of four vulnerabilities in Print Spooler: CVE-2022-21999, CVE-2022-22718, CVE-2022-21997, and CVE-2022-22717. All four vulnerabilities, if exploited, enable the elevation of privileges, which typically means an attacker would need to have already compromised a system to take advantage of the flaws.
However, the near ubiquity of Windows Print Spooler and the fact that attackers frequently target the technology because of how buggy it is heightens the need for organizations to patch the new flaws quickly. Already, exploit code for one of the Print Spooler flaws disclosed this week (CVE-2022-21999) has become available.
Kevin Breen, director of cyberthreat research at Immersive Labs, points to last July’s so-called “PrintNightmare” vulnerability as one example of the exposure that organizations can face from Print Spooler flaws. PrintNightmare was an RCE flaw, present across almost all Windows versions, that gave remote attackers a way to take full control of vulnerable systems. Concerns over attackers using the flaw to take control of domain controllers and Active Directory admin servers prompted the US Cybersecurity and Infrastructure Security Agency to urge organizations to disable Print Spooler on all critical systems.
As with the new set of Print Spooler flaws, Microsoft initially described PrintNightmare as a local attack vector, meaning an attacker would already need access to a standard user account to escalate privileges, Breen says.
“It was not long before researchers and attackers discovered how to use [PrintNightmare] remotely,” he explains. “That hasn’t been determined in this case yet, but history has taught us we should not rule this possibility out.”
Meanwhile, the Windows 32 kernel elevation of privileges flaw (CVE-2022-21989) is important to address because proof-of-concept exploit code for the flaw has already become available. Microsoft has assessed the flaw as “more likely” to be exploited and giving attackers a way to use a low-privilege AppContainer to elevate privileges for running arbitrary code or accessing resources on vulnerable systems.
“Much of the initial investigative work for a weaponized exploit has already been done, and details could be publicly available to threat actors,” says Chris Goetti, vice president of product management at Ivanti.
The CVE is specific to AppContainer, which is designed to run a specific application and only allows it to access the resources it needs to run, Goetti adds. “An application running in the AppContainer can then use this vulnerability to elevate its privileges beyond those provided by the AppContainer,” he says.
Breen also points to an RCE flaw in SharePoint Server (CVE-2022-22005) as one Microsoft has flagged as more likely to be exploited. He describes it as a flaw as likely an issue for organizations that use SharePoint for internal wikis or document stores. In these situations, attackers could exploit the flaw to steal or replace confidential information and documents, he says.
Sparse Vulnerability Information
Tripwire’s Reguly says February “was definitely a lighter month in terms of the sheer number of patches.” However, the latest Microsoft security update is another example where more information from the company would help organizations understand vulnerabilities better and put them in better context, he says.
“It’s an ongoing issue that we’ve seen for years,” Reguly notes. “Microsoft’s provided context and content has eroded over the years to the point of providing no information these days.”.
For instance, several of the vulnerability advisories this month, which pointed to the Microsoft store, had no updates available on Patch Tuesday, he says. Microsoft has been called out numerous times over the years for failing to disclose enough information, and occasionally the company has gone back and added additional details to a vulnerability.
“Unfortunately, the reality is that Microsoft has simply reduced publicly available information over the years, and it makes it harder and harder to glean data about vulnerabilities to make informed decisions,” Reguly says.
Breen at Immersive Labs agrees. “When publishing CVEs, it is common to include a description field that provides more technical details on which component is being exploited and how,” he notes.
But since November 2020, Microsoft has stopped including this summary in its CVE reports, Breen says. Microsoft at the time had explained the reason for moving to its new version of the security update guide as an effort to align itself better with the Common Vulnerability Scoring System (CVSS).
But Breen says the change has not helped.
“This makes it much more difficult for organizations to prioritize based on risk or mitigations,” he says. “Instead, they have to rely on Microsoft’s simple ‘Exploitation More Likely’ or ‘Exploitation Less Likely’ categorization,” Breen says.