8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Microsoftâs Patch Tuesday update for the month of March has been made officially available with 71 fixes spanning across its software products such as Windows, Office, Exchange, and Defender, among others.
Of the total 71 patches, three are rated Critical and 68 are rated Important in severity. While none of the vulnerabilities are listed as actively exploited, three of them are publicly known at the time of release.
Itâs worth pointing out that Microsoft separately addressed 21 flaws in the Chromium-based Microsoft Edge browser earlier this month.
All the three critical vulnerabilities remediated this month are remote code execution flaws impacting HEVC Video Extensions (CVE-2022-22006), Microsoft Exchange Server (CVE-2022-23277), and VP9 Video Extensions (CVE-2022-24501).
The Microsoft Exchange Server vulnerability, which was reported by researcher Markus Wulftange, is also noteworthy for the fact that it requires the attacker to be authenticated to be able to exploit the server.
âThe attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution,â the Windows maker said. âAs an authenticated user, the attacker could attempt to trigger malicious code in the context of the serverâs account through a network call.â
âCritical vulnerability CVE-2022-23277 should also be a concern,â Kevin Breen, director of cyber threat research at Immersive Labs, said. âWhile requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email.â
The three zero-day bugs fixed by Microsoft are as follows â
Microsoft also labeled CVE-2022-21990 as âExploitation More Likelyâ because of the public availability of a proof-of-concept (PoC) exploit, making it crucial that the updates are applied as soon as possible to avoid potential attacks.
Other defects of significance are a number of remote code execution flaws in Windows SMBv3 Client/Server, Microsoft Office, and Paint 3D, as well as privilege escalation flaws in Xbox Live Auth Manager, Microsoft Defender for IoT, and Azure Site Recovery.
In all, the patches close out 29 remote code execution vulnerabilities, 25 elevation of privilege vulnerabilities, six information disclosure vulnerabilities, four denial-of-service vulnerabilities, three security feature bypass vulnerabilities, three spoofing vulnerabilities, and one tampering vulnerability.
In addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting â
Found this article interesting? Follow THN on Facebook, Twitter ď and LinkedIn to read more exclusive content we post.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C