Microsoft announced fixes for 48 vulnerabilities in seven different Microsoft product groups, in the year’s last Patch Tuesday uodate. This covers six Critical-class problems impacting Windows, SharePoint, and Microsoft Dynamics.
The bulk of CVEs impact Windows; 30 of them, including four, shared with Azure, harm the operating system. Azure itself applies five updates, including those for the four common CVEs. Office requires 13, which also includes fixes for Outlook for Mac and Outlook for Android.
A separate Defense in Depth update (ADV220005) was released for Driver Certificate Deprecation.
Malicious use of Microsoft-signed drivers
Microsoft initiated a special patch (ADV220005) over alerts that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.
“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat,” read the patch advisory.
Alerted by security vendors, Microsoft initiated an investigation that revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.
“A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October,” read the advisory.
“Ongoing Microsoft Threat Intelligence Center (MSTIC) analysis indicates the signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware,” it added.
Two zero-day holes patched
The year’s last Patch Tuesday update addressed two zero-day issues: DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710) and Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698). The latter is also known to have been exploited in the wild.
“Neither of these bugs can be exploited for what’s known as RCE (remote code execution), so they don’t give outside attackers a direct route into your network,” read a Sophos advisory.
“Nevertheless, they’re both bugs that make things easier for cybercriminals by providing ways for them to sidestep security protections that would usually stop them in their tracks.”
Malwarebytes Labs has highlighted two critical vulnerabilities found in the Windows Secure Socket Tunneling Protocol (SSTP).
“CVE-2022-44670 and CVE-2022-44676 are remote code execution (RCE) vulnerabilities. Successful exploitation of these vulnerabilities requires an attacker to win a race condition but when successful could enable an attacker to remotely execute code on a remote access server (RAS),” explained the Malwarebytes blog post on Patch Tuesday.
