Patch Tuesday December 2022: Mark of the Web zero-day fixed, and guidance on CVE-2022-37967 manual mitigation

To close out the year, Patch Tuesday brings us the gift of fixes for two zero-day vulnerabilities and a collection of critical vulnerabilities. These vulnerabilities are lacking the “hair on fire” responses from the community that vulnerabilities from earlier in the year generated, like ProxyNotShell and a wormable HTTP.sys flaw. However, as always, they should be addressed in a timely manner through a proper patching regime—even if they lack the dire warnings that accompanied previous named vulnerabilities this year.

This month also marks End of Servicing for Windows 10 21H1. Microsoft has been warning of the impending EOS for a few months. Most patching solutions should be able to handle the update to 22H1 or 22H2 without it being a major time investment. January though brings end of support for Windows 8.1, which will be slightly more challenging to address. If you haven’t started already, now is the time to audit your environments for Windows 8.1 systems and plan for their upgrade, replacement, or decommissioning.

Microsoft vulnerabilities

There were only 49 total vulnerabilities addressed as part of Microsoft’s December Patch Tuesday, about half of what we’ve seen in previous months. Of these, six are rated as Critical with the two zero-day vulnerabilities that were addressed labeled as Moderate and Important. Even though labeling a vulnerability as a zero-day makes it sound so much worse than other vulnerabilities, don’t let that label distract you from other vulnerabilities that carry higher severity ratings or are under active exploitation.

CVE-2022-44698 is the notable vulnerability of the month. This zero-day allows for specially crafted files to be downloaded to a device without the Mark of the Web flag on the file. This flag is what lets the Window OS, applications, and end-users know the file originated from the web and shouldn’t be trusted by default. Even though it’s carrying only a CVSS 5.4 the fact it us under active exploitation by threat actors in ransomware attacks should put it right on top of your to-do list.

The second zero-day of the month is CVE-2022-44710. This is an elevation of privilege vulnerability affecting DirectX that allows an attacker to gain SYSTEM privileges. There is no proof of concept exploiting this vulnerability publicly available yet, as such it only carries an Important severity rating and is marked as Exploitation Less Likely. So even though it carries the zero-day label, it sounds a lot less threatening than CVE-2022-44698, highlighting why understanding key metrics about vulnerabilities is an important part of proper risk evaluation and prioritization.

CVE-2022-37967 is an elevation of privilege vulnerability affecting Windows Kerberos that received an initial Phase 1 fix during November’s Patch Tuesday, but requires additional mitigations as advised by Microsoft to address the security issue caused by CVE-2022-37967. If you are managing a Window’s Domain then this KB with instructions is essential reading as there are manual mitigations that must be made this month in addition to applying updates.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

En savoir plus

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected

Other vendors

Fortinet announced CVE-2022-42475, which affects FortiOS SLL-VPN. Upgrading to the newest FortiOS should address this vulnerability. Citrix also released a security update to address CVE-2022-27518 affecting Citrix ADC and Citrix Gateways. It’s just as important—some say more important—to keep apprised of security bulletins and new firmware from network appliance vendors as it is to keep up to date with endpoints. So, if you’re not subscribed to alerts from your network appliance vendors it would make for a good New Year’s resolution.

Summary

As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.  

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Review, then check out this section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd