8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Hello everyone! I am glad to greet you from the most sanctioned country in the world. Despite all the difficulties, we carry on. I even have some time to release new episodes. This time it will be about Microsoft Patch Tuesday for March 2022.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239076>
I do the analysis as usual with my open source tool Vulristics. You can still download it on github. I hope that github won't block Russian repositories and accounts, but for now it looks possible. Most likely, I will just start hosting the sources of my projects on avleonov.com in this case. Or on another domain, if it gets even tougher. Stay tuned.
This month there have been issues with getting Patch Tuesday blog posts from VM vendors. Qualys' site search broke and DuckDuckGo didn't index the ZDI blog well. Therefore, I added the links to them in mspt-comments-links-path manually.
$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "March" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
$ cat comments_links.txt
Qualys|March 2022 Patch Tuesday: Microsoft Releases 92 Vulnerabilities with 3 Critical; Adobe Releases 3 Advisories, 6 Vulnerabilities with 5 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/03/08/march-2022-patch-tuesday
ZDI|THE MARCH 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/3/8/the-march-2022-security-update-review$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "March" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
I made a change to Vulristics so now it can take into account the Exploit Code Maturity from the CVSS Temporal Score of the Microsoft object. Such a mark will be less critical than the presence of an exploit in any exploit pack, but still.
On March 8, Microsoft published 71 CVEs. Another 30 have been published before since last February's Patch Tuesday, all in Microsoft Edge. In total, 101 vulnerabilities. If we look at CVSS, 50 of them will have a "High" level. According to my Vulristics metric, only 26 of them will have a "High" level. I think it shows that my prioritization is better.
You can see the full version of the report here:
ms_patch_tuesday_march2022_report_with_comments_ext_img.html
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C