February 2022 Patch Tuesday: No critical vulnerabilities and CUs to get everyone caught up
By Lewis Pope
This February Patch Tuesday we have a lower number of total vulnerabilities addressed (only 51) compared to January and for the first time in a long while no vulnerabilities were marked as “critical”. Also, there’s a change of pace this month as none are marked “exploitation detected” either. This means Microsoft doesn’t believe a single zero-day vulnerability from this month is being used in any attack campaigns. We’ll get into more detail later why proof-of-concept attacks concerning zero days should push a vulnerability toward the top of your priority list regardless of their exploitability rating.
Perhaps more important are the new cumulative updates (CUs) for this month, which should ease frustration for teams that are still deferring updates from January due to multiple complications. The new CUs should help teams get caught up and back in compliance with their patch management controls. January CUs provided headaches for many Server 2012, Server 2016 Hyper-V, and Domain Controller admins along with complications with LT2P VPN connections on workstations. February’s CUs should contain fixes for these issues and provide a smoother patching experience for this month.
Microsoft vulnerabilities
With only 51 security vulnerabilities being addressed this month and none of them being marked as critical, some may see the month as an opportunity to relax a little on ensuring patching is done on time. I’d warn against complacency just because none of them are marked as “critical” since many of the vulnerabilities are remote code execution vulnerabilities and many of those already have proof-of-concept exploitations available freely.
CVE-2022-21989 is a great example of why relying on severity ratings alone can leave you with a false sense of security. CVE-2022-21989 is marked only as “important” even though it was a zero day that has proof of concept publicly available. Microsoft tracks this in its “temporal score metrics” as “exploit code maturity”, which “measures the likelihood of the vulnerability being attacked and is typically based on the current state of exploit techniques, exploit code availability, or active, ‘in-the-wild’ exploitation”. CVE-2022-21989 is marked as “proof of concept” for “exploit code maturity”, which is what lets you know Microsoft is aware of exploitation tools or processes existing for a vulnerability. This should raise the priority of applying fixes for the vulnerability independent of what its severity rating is.
Vulnerability prioritization
It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “exploitation more likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as « exploitation more likely”, “exploitation detected”, or “critical”.
|
CVE |
Description |
Exploitability |
Severity |
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Named Pipe File System Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows DWM Core Library Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Kernel Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
|
Remote Desktop Services Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
Cumulative updates
KB5010342 and KB5010345 appear to fix an LDAP error and some other general use improvements for Bluetooth device battery percentages being reported incorrectly, audio fixes, and HDR displays displaying “light” colors as more washed out or a different color all together.
Summary
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero-days, exploitation detected, and exploitation more likely vulnerabilities in your patch management routines.
Lewis Pope is the head security nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_ner
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.