Microsoft’s February Patch Tuesday came with 51 security fixes with not a single critical CVE fix. Fifty updates are labelled important, while one is moderate in terms of severity. Additionally, there’s no indication that any of these vulnerabilities are under active exploitation.
The patches have been released for the following Microsoft products:
- Windows Codecs Library
- Windows Hyper-V Server
- Azure Data Explorer
- Dynamics GP
- Edge (Chromium based) Kestrel Web Server
- SQL Server
- Visual Studio Code
Only one of the vulnerabilities, a Windows kernel privilege escalation — CVE-2022-21989, has been publicly disclosed.
This is the least number of patches Microsoft has released in a month since August 2021, which only saw 44 fixes. That’s mostly down to February being a slow month for fixes as unattended bugs over the holiday season are fixed in January.
Slow month for security admins?
While none of the patched CVEs has a critical label, you should treat a few on a priority basis, especially the Windows DNS Server remote code execution flaw and Windows Hyper-V remote code execution vulnerability (CVE-2022-21984 and CVE-2022-21995, respectively).
Additionally, more vulnerabilities in the Windows Print Spooler components were also found. CVE-2022-21999, CVE-2022-22718, CVE-2022-21997, and CVE-2022-22717 to be specific. They’re all privilege escalation vulnerabilities, which is often a key part of an attack chain as attackers exploit such vulnerabilities to gain more access to systems once they’ve already compromised the weak points and have gained low-level access.
Nineteen vulnerabilities were also patched in the Chromium project earlier this month, with eight being high severity. The Chromium project forms the foundation of Microsoft’s Edge browser.
Adobe also pushed several security updates described in five separate security bulletins covering 17 vulnerabilities in Illustrator, Creative Cloud Desktop, After Effects, Premiere Rush and Photoshop, respectively.
Creative Cloud Desktop, Photoshop and After Effects had but one arbitrary code execution flaw that needed fixing. Illustrator came out on top here with 13 vulnerabilities fixed this month, two of them being critical and the rest labelled important. Lastly, Premiere Rush had a moderate privilege escalation flaw.
SAP rounds up the security update train with 13 new security notes and five updates to previous notes. Seven of these get a critical severity rating of 10 out 10 while five deal with log4j fixes — two new and three updates to the December 2021 patches.
Three of these vulnerabilities affect SAP’s Internet Communication Manager, a core part of SAP’s software. The company itself describes them as critical memory corruption bugs. Additionally, US’ CISA also published an alert on Tuesday warning that these vulnerabilities can leave organisations open to data theft, fraud, business disruption and ransomware.