8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2022. I release it pretty late, because of the my previous big episode about the blindspots in the Knowledge Bases of Vulnerability Scanners. Please take a look if you haven't seen it. Well, if you are even slightly interested in the world news, you can imagine that the end of February 2022 in Eastern Europe is not the best time to create new content on Vulnerability Management. Let's hope that peace and tranquility will be restored soon. And also that geopolitical confrontation between the largest nuclear powers will de-escalate somehow.
But let's get back to information security. While working on Microsoft Patch Tuesday report for February 2022, I made a lot of improvements to my open source project for vulnerability prioritization Vulristics. I want to start with them.
One of the old problems is the number of CVEs. You can see in the Patch Tuesday reviews made by the VM vendors, that they always mention a different number of CVEs. For example for February Patch Tuesday Tenable stated that 48 CVEs were patched, while other VM vendors reported up to 70 CVEs (ZDI, Qualys, Rapid7). I understand where Tenable got the number 48 that's what the Microsoft API returns.
{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/en-US/$metadata#vulnerability",**"@odata.count":48**,"value":[{"id":"00000000-0000-0000-0000-0000815caad0","releaseDate":"2022-02-08T08:00:00Z","cveNumber":"CVE-2022-23280","cveTitle":"Microsoft Outlook for Mac Security Feature Bypass Vulnerability","releaseNumber":"2022-Feb","vulnType":"Security Vulnerability","latestRevisionDate":"2022-02-09T08:00:00Z","mitreText":"MitreCVE-2022-23280","mitreUrl":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23280","publiclyDisclosed":"No","exploited":"No","latestSoftwareReleaseId":2,"latestSoftwareRelease":"Exploitation Less Likely","olderSoftwareReleaseId":2,"olderSoftwareRelease":"Exploitation Less Likely","denialOfService":"N/A","tag":"Microsoft Office Outlook","issuingCna":"Microsoft","langCode":"en-US","articles":[{"articleType":"FAQ","description":"<p><strong>Is the Preview Pane an attack vector for this vulnerability?</strong></p>\n<p>Yes, the Preview Pane is an attack vector.</p>\n","ordinal":10000},...
BTW, I changed
https://api.msrc.microsoft.com/sug/v2.0/en-US/affectedProduct
to
https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability
Because this url is now used in Microsoft web interface.
As for other numbers, this is because they count not only vulnerabilities that were released on a specific date, but also the vulnerabilities released between Patch Tuesdays. And that makes sense, since most of security professionals and IT administrators review Microsoft issues once in a month. Therefore, if we will ignore the vulnerabilities that were published between them, there is a chance that something critical can go under the radar.
But starting from what date do VM vendors count CVEs? I took the beginning of the month and got 70 CVEs:
MS PT Year: 2022
MS PT Month: February
MS PT Date: 2022-02-08
MS PT CVEs found: 48
Ext MS PT Date from: 2022-02-01
Ext MS PT Date to: 2022-02-07
Ext MS PT CVEs found: 22
ALL MS PT CVEs: 70
But it seems to me that it is more correct to take the next day after the previous Patch Tuesday as Ext MS PT Date from.
MS PT Year: 2022
MS PT Month: February
MS PT Date: 2022-02-08
MS PT CVEs found: 48
Ext MS PT Date from: 2022-01-12
Ext MS PT Date to: 2022-02-07
Ext MS PT CVEs found: 46
ALL MS PT CVEs: 94
I decided to make a new profile in Vulristics "ms_patch_tuesday_extended". It will include all vulnerabilities that have been published since the previous Patch Tuesday, including the current Patch Tuesday date. There will also be a comment that the vulnerability was released before Patch Tuesday.
There also was an issue with a search on the Tenable blog. It didn't work even in GUI. After trying to search for "Patch Tuesday" I keep getting the error "This page isn’t working. www.tenable.com redirected you too many times". I hope Tenable will fix this, but bugs like this can happen regularly. So, I decided to add the ability to define comments links directly in the file.
python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "February" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
comments_links.txt file
Tenable|Microsoft’s February 2022 Patch Tuesday Addresses 48 CVEs (CVE-2022-21989)|https://www.tenable.com/blog/microsofts-february-2022-patch-tuesday-addresses-48-cves-cve-2022-21989
When I generated the report, I found many vulnerabilities there, for which there was a strange Log4Shell exploit. It was a fake project on github that mentioned thousands of CVEs.
What to do with it? Of course, you can simply exclude all github objects in Vulners.com API output and ignore such exploits. On the other hand, this is bad, because there may indeed be real exploits on github that other Exploit packs don't have.
So instead I decided to add the ability to exclude vulners.com exploits in data_exclusions.py.
But let's now take a look at the Patch Tuesday for February 2020. There were 94 vulnerabilities: 3 Critical, 20 High, 65 Medium and 6 Low.
The full report is available here: ms_patch_tuesday_february2022
Let's look at 3 critical vulnerabilities:
Now let's highlight some of the 20 high-level vulnerabilities:
These were all vulnerabilities for which there is an exploit or a sign of "exploitation in the wild". What other vulnerabilities are worth paying attention to?
Among the vulnerabilities of the medium level, the following vulnerabilities are quite interesting:
There were also a lot of vulnerabilities in Microsoft Edge. Most of them were published before February 2022 Patch Tuesday from 2022-01-12 to 2022-02-07. Some of them have the Memory Corruption type, for 6 the type could not be detected from the description.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C