Head Nerds
Gestione delle patch
Sicurezza

February 2022 Patch Tuesday: No critical vulnerabilities and CUs to get everyone caught up

This February Patch Tuesday we have a lower number of total vulnerabilities addressed (only 51) compared to January and for the first time in a long while no vulnerabilities were marked as “critical”. Also, there’s a change of pace this month as none are marked “exploitation detected” either. This means Microsoft doesn’t believe a single zero-day vulnerability from this month is being used in any attack campaigns. We’ll get into more detail later why proof-of-concept attacks concerning zero days should push a vulnerability toward the top of your priority list regardless of their exploitability rating.

Perhaps more important are the new cumulative updates (CUs) for this month, which should ease frustration for teams that are still deferring updates from January due to multiple complications. The new CUs should help teams get caught up and back in compliance with their patch management controls. January CUs provided headaches for many Server 2012, Server 2016 Hyper-V, and Domain Controller admins along with complications with LT2P VPN connections on workstations. February’s CUs should contain fixes for these issues and provide a smoother patching experience for this month.

Microsoft vulnerabilities

With only 51 security vulnerabilities being addressed this month and none of them being marked as critical, some may see the month as an opportunity to relax a little on ensuring patching is done on time. I’d warn against complacency just because none of them are marked as “critical” since many of the vulnerabilities are remote code execution vulnerabilities and many of those already have proof-of-concept exploitations available freely.

CVE-2022-21989 is a great example of why relying on severity ratings alone can leave you with a false sense of security. CVE-2022-21989 is marked only as “important” even though it was a zero day that has proof of concept publicly available. Microsoft tracks this in its “temporal score metrics” as “exploit code maturity”, which “measures the likelihood of the vulnerability being attacked and is typically based on the current state of exploit techniques, exploit code availability, or active, ‘in-the-wild’ exploitation”. CVE-2022-21989 is marked as “proof of concept” for “exploit code maturity”, which is what lets you know Microsoft is aware of exploitation tools or processes existing for a vulnerability. This should raise the priority of applying fixes for the vulnerability independent of what its severity rating is.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Vulnerability prioritization

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as “exploitation more likely” are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as “exploitation more likely”, “exploitation detected”, or “critical”.

CVE

Description

Exploitability

Severity

CVE-2022-22718

Windows Print Spooler Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-22715

Named Pipe File System Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-22005

Microsoft SharePoint Server Remote Code Execution Vulnerability

Exploitation More Likely

Important

CVE-2022-22000

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-21999

Windows Print Spooler Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-21996

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-21994

Windows DWM Core Library Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-21989

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2022-21981

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

Important

CVE-2019-0887

Remote Desktop Services Remote Code Execution Vulnerability

Exploitation More Likely

Important

Cumulative updates

KB5010342 and KB5010345 appear to fix an LDAP error and some other general use improvements for Bluetooth device battery percentages being reported incorrectly, audio fixes, and HDR displays displaying “light” colors as more washed out or a different color all together.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for zero-days, exploitation detected, and exploitation more likely vulnerabilities in your patch management routines.

Lewis Pope is the head security nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_ner

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.