February 2022 Patch Tuesday: No critical vulnerabilities and CUs to get everyone caught up
By Lewis Pope
This February Patch Tuesday we have a lower number of total vulnerabilities addressed (only 51) compared to January and for the first time in a long while no vulnerabilities were marked as “critical”. Also, there’s a change of pace this month as none are marked “exploitation detected” either. This means Microsoft doesn’t believe a single zero-day vulnerability from this month is being used in any attack campaigns. We’ll get into more detail later why proof-of-concept attacks concerning zero days should push a vulnerability toward the top of your priority list regardless of their exploitability rating.
Perhaps more important are the new cumulative updates (CUs) for this month, which should ease frustration for teams that are still deferring updates from January due to multiple complications. The new CUs should help teams get caught up and back in compliance with their patch management controls. January CUs provided headaches for many Server 2012, Server 2016 Hyper-V, and Domain Controller admins along with complications with LT2P VPN connections on workstations. February’s CUs should contain fixes for these issues and provide a smoother patching experience for this month.
Microsoft vulnerabilities
With only 51 security vulnerabilities being addressed this month and none of them being marked as critical, some may see the month as an opportunity to relax a little on ensuring patching is done on time. I’d warn against complacency just because none of them are marked as “critical” since many of the vulnerabilities are remote code execution vulnerabilities and many of those already have proof-of-concept exploitations available freely.
CVE-2022-21989 is a great example of why relying on severity ratings alone can leave you with a false sense of security. CVE-2022-21989 is marked only as “important” even though it was a zero day that has proof of concept publicly available. Microsoft tracks this in its “temporal score metrics” as “exploit code maturity”, which “measures the likelihood of the vulnerability being attacked and is typically based on the current state of exploit techniques, exploit code availability, or active, ‘in-the-wild’ exploitation”. CVE-2022-21989 is marked as “proof of concept” for “exploit code maturity”, which is what lets you know Microsoft is aware of exploitation tools or processes existing for a vulnerability. This should raise the priority of applying fixes for the vulnerability independent of what its severity rating is.
Vulnerability prioritization
It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “exploitation more likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as „exploitation more likely”, “exploitation detected”, or “critical”.
|
CVE |
Description |
Exploitability |
Severity |
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Named Pipe File System Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows DWM Core Library Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Kernel Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Remote Desktop Services Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
Cumulative updates
KB5010342 and KB5010345 appear to fix an LDAP error and some other general use improvements for Bluetooth device battery percentages being reported incorrectly, audio fixes, and HDR displays displaying “light” colors as more washed out or a different color all together.
Summary
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero-days, exploitation detected, and exploitation more likely vulnerabilities in your patch management routines.
Lewis Pope is the head security nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_ner
© N‑able Solutions ULC und N‑able Technologies Ltd. Alle Rechte vorbehalten.
Dieses Dokument dient nur zu Informationszwecken und stellt keine Rechtsberatung dar. N‑able übernimmt weder ausdrücklich noch stillschweigend Gewähr noch Haftung oder Verantwortung für Korrektheit, Vollständigkeit oder Nutzen der in diesem Dokument enthaltenen Informationen.
N-ABLE, N-CENTRAL und andere Marken und Logos von N‑able sind ausschließlich Eigentum von N‑able Solutions ULC und N‑able Technologies Ltd. Sie sind gesetzlich geschützte Marken und möglicherweise beim Patent- und Markenamt der USA und in anderen Ländern registriert oder zur Registrierung angemeldet. Alle anderen hier genannten Marken dienen ausschließlich zu Informationszwecken und sind Marken (oder registrierte Marken) der entsprechenden Unternehmen.