Last updated at Tue, 08 Mar 2022 21:08:35 GMT
Microsoft's March 2022 updates include fixes for 92 CVEs (including 21 from the Chromium project, which is used by their Edge web browser). None of them have been seen exploited in the wild, but three have been previously disclosed. CVE-2022-24512 , affecting .NET and Visual Studio, and CVE-2022-21990 , affecting Remote Desktop Client, both allow RCE (Remote Code Execution). CVE-2022-24459 is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated Important – organizations should remediate at their regular patch cadence.
Three CVEs this month are rated Critical. CVE-2022-22006 and CVE-2022-24501 both affect video codecs. In most cases, these will update automatically via the Microsoft Store. However, any organizations with automatic updates disabled should be sure to push out updates. The vulnerability most likely to raise eyebrows this month is CVE-2022-23277 , a Critical RCE affecting Exchange Server. Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.
SharePoint administrators get a break this month, though on the client side, a handful of Office vulnerabilities were fixed. Three separate RCEs in Visio, Tampering and Security Feature Bypass vulnerabilities in Word, and Information Disclosure in the Skype Extension for Chrome all got patched.
CVE-2022-24508 is an RCE affecting Windows SMBv3, which has potential for widespread exploitation, assuming an attacker can put together a suitable exploit. Luckily, like this month's Exchange vulnerabilities, this too requires authentication.
Organizations using Microsoft’s Azure Site Recovery service should be aware that 11 CVEs were fixed with today’s updates, split between RCEs and LPEs. They are all specific to the scenario where an on-premise VMware deployment is set up to use Azure for disaster recovery.
Summary charts Summary tables Apps vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-23282 Paint 3D Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24465 Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability
No
No
3.3
Yes
Azure vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-24467 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24468 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24517 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24470 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24471 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24520 Azure Site Recovery Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-24469 Azure Site Recovery Elevation of Privilege Vulnerability
No
No
8.1
Yes
CVE-2022-24506 Azure Site Recovery Elevation of Privilege Vulnerability
No
No
6.5
Yes
CVE-2022-24515 Azure Site Recovery Elevation of Privilege Vulnerability
No
No
6.5
Yes
CVE-2022-24518 Azure Site Recovery Elevation of Privilege Vulnerability
No
No
6.5
Yes
CVE-2022-24519 Azure Site Recovery Elevation of Privilege Vulnerability
No
No
6.5
Yes
Browser vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-0809 Chromium: CVE-2022-0809 Out of bounds memory access in WebXR
No
No
N/A
Yes
CVE-2022-0808 Chromium: CVE-2022-0808 Use after free in Chrome OS Shell
No
No
N/A
Yes
CVE-2022-0807 Chromium: CVE-2022-0807 Inappropriate implementation in Autofill
No
No
N/A
Yes
CVE-2022-0806 Chromium: CVE-2022-0806 Data leak in Canvas
No
No
N/A
Yes
CVE-2022-0805 Chromium: CVE-2022-0805 Use after free in Browser Switcher
No
No
N/A
Yes
CVE-2022-0804 Chromium: CVE-2022-0804 Inappropriate implementation in Full screen mode
No
No
N/A
Yes
CVE-2022-0803 Chromium: CVE-2022-0803 Inappropriate implementation in Permissions
No
No
N/A
Yes
CVE-2022-0802 Chromium: CVE-2022-0802 Inappropriate implementation in Full screen mode
No
No
N/A
Yes
CVE-2022-0801 Chromium: CVE-2022-0801 Inappropriate implementation in HTML parser
No
No
N/A
Yes
CVE-2022-0800 Chromium: CVE-2022-0800 Heap buffer overflow in Cast UI
No
No
N/A
Yes
CVE-2022-0799 Chromium: CVE-2022-0799 Insufficient policy enforcement in Installer
No
No
N/A
Yes
CVE-2022-0798 Chromium: CVE-2022-0798 Use after free in MediaStream
No
No
N/A
Yes
CVE-2022-0797 Chromium: CVE-2022-0797 Out of bounds memory access in Mojo
No
No
N/A
Yes
CVE-2022-0796 Chromium: CVE-2022-0796 Use after free in Media
No
No
N/A
Yes
CVE-2022-0795 Chromium: CVE-2022-0795 Type Confusion in Blink Layout
No
No
N/A
Yes
CVE-2022-0794 Chromium: CVE-2022-0794 Use after free in WebShare
No
No
N/A
Yes
CVE-2022-0793 Chromium: CVE-2022-0793 Use after free in Views
No
No
N/A
Yes
CVE-2022-0792 Chromium: CVE-2022-0792 Out of bounds read in ANGLE
No
No
N/A
Yes
CVE-2022-0791 Chromium: CVE-2022-0791 Use after free in Omnibox
No
No
N/A
Yes
CVE-2022-0790 Chromium: CVE-2022-0790 Use after free in Cast UI
No
No
N/A
Yes
CVE-2022-0789 Chromium: CVE-2022-0789 Heap buffer overflow in ANGLE
No
No
N/A
Yes
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-24526 Visual Studio Code Spoofing Vulnerability
No
No
6.1
Yes
CVE-2020-8927 Brotli Library Buffer Overflow Vulnerability
No
No
6.5
Yes
CVE-2022-24512 .NET and Visual Studio Remote Code Execution Vulnerability
No
Yes
6.3
Yes
CVE-2022-24464 .NET and Visual Studio Denial of Service Vulnerability
No
No
7.5
No
Exchange Server vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-24463 Microsoft Exchange Server Spoofing Vulnerability
No
No
6.5
Yes
CVE-2022-23277 Microsoft Exchange Server Remote Code Execution Vulnerability
No
No
8.8
Yes
Microsoft Office vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-24522 Skype Extension for Chrome Information Disclosure Vulnerability
No
No
7.5
Yes
CVE-2022-24462 Microsoft Word Security Feature Bypass Vulnerability
No
No
5.5
Yes
CVE-2022-24511 Microsoft Office Word Tampering Vulnerability
No
No
5.5
Yes
CVE-2022-24509 Microsoft Office Visio Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24461 Microsoft Office Visio Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24510 Microsoft Office Visio Remote Code Execution Vulnerability
No
No
7.8
Yes
System Center vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-23265 Microsoft Defender for IoT Remote Code Execution Vulnerability
No
No
7.2
Yes
CVE-2022-23266 Microsoft Defender for IoT Elevation of Privilege Vulnerability
No
No
7.8
Yes
CVE-2022-23278 Microsoft Defender for Endpoint Spoofing Vulnerability
No
No
5.9
Yes
Windows vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-21967 Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24525 Windows Update Stack Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24508 Windows SMBv3 Client/Server Remote Code Execution Vulnerability
No
No
8.8
Yes
CVE-2022-23284 Windows Print Spooler Elevation of Privilege Vulnerability
No
No
7.2
No
CVE-2022-21975 Windows Hyper-V Denial of Service Vulnerability
No
No
4.7
Yes
CVE-2022-23294 Windows Event Tracing Remote Code Execution Vulnerability
No
No
8.8
Yes
CVE-2022-23291 Windows DWM Core Library Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-23288 Windows DWM Core Library Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-23286 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24455 Windows CD-ROM Driver Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-24507 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-23287 Windows ALPC Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24505 Windows ALPC Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24501 VP9 Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24451 VP9 Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24460 Tablet Windows User Interface Application Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-23295 Raw Image Extension Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-23300 Raw Image Extension Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-22010 Media Foundation Information Disclosure Vulnerability
No
No
4.4
Yes
CVE-2022-21977 Media Foundation Information Disclosure Vulnerability
No
No
3.3
Yes
CVE-2022-22006 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-23301 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-22007 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24452 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24453 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24456 HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
Windows ESU vulnerabilities
CVE
Title
Exploited
Publicly disclosed?
CVSSv3 base score
Has FAQ?
CVE-2022-24454 Windows Security Support Provider Interface Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-23299 Windows PDEV Elevation of Privilege Vulnerability
No
No
7.8
Yes
CVE-2022-23298 Windows NT OS Kernel Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-23297 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
No
No
5.5
Yes
CVE-2022-21973 Windows Media Center Update Denial of Service Vulnerability
No
No
5.5
No
CVE-2022-23296 Windows Installer Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-23290 Windows Inking COM Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-24502 Windows HTML Platforms Security Feature Bypass Vulnerability
No
No
4.3
Yes
CVE-2022-24459 Windows Fax and Scan Service Elevation of Privilege Vulnerability
No
Yes
7.8
No
CVE-2022-23293 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2022-23281 Windows Common Log File System Driver Information Disclosure Vulnerability
No
No
5.5
Yes
CVE-2022-23283 Windows ALPC Elevation of Privilege Vulnerability
No
No
7
Yes
CVE-2022-24503 Remote Desktop Protocol Client Information Disclosure Vulnerability
No
No
5.4
Yes
CVE-2022-21990 Remote Desktop Client Remote Code Execution Vulnerability
No
Yes
8.8
Yes
CVE-2022-23285 Remote Desktop Client Remote Code Execution Vulnerability
No
No
8.8
Yes
CVE-2022-23253 Point-to-Point Tunneling Protocol Denial of Service Vulnerability
No
No
6.5
No
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
