Microsoft has released 48 security fixes for software including a patch for a zero-day bug — but there are no critical-severity flaws on the list this month.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits.
Products impacted by February’s security update include the Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint.
The single zero-day vulnerability now patched by Microsoft is CVE-2022-21989. Issued a CVSS severity score of 7.8, this bug — which is publicly known — can be exploited to escalate privileges via the kernel. However, it has not been issued a critical rating as Microsoft says triggering the exploit “requires an attacker to take additional actions prior to exploitation to prepare the target environment.”
Some of the other vulnerabilities of interest in this update are:
- CVE-2022-21984 (CVSS 8.8): Windows DNS Server Remote Code Execution Vulnerability
- CVE-2022-22005 (CVSS 8.8): Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2022-23256 (CVSS 8.1): Azure Data Explorer Spoofing Vulnerability
- CVE-2022-23274 (CVSS 8.3): Microsoft Dynamics GP Remote Code Execution Vulnerability
Last month, Microsoft resolved six zero-day vulnerabilities in the first batch of security fixes for 2022. The previously-unknown bugs could be exploited for purposes including Man-in-The-Middle (MiTM) attacks, denial-of-service, spoofing, and remote code execution.
A month prior, the tech giant tackled 67 security issues during December’s Patch Tuesday. A zero-day bug of note was being actively exploited by cybercriminals to spread Emotet malware.
Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.