IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's Patch Tuesday fixes 70 vulnerabilities after a troublesome January update

Microsoft will be hoping for a bug-free round of patches after admins complained of January's updates breaking more components than they fixed

Microsoft's latest round of security updates for Windows, often referred to as 'Patch Tuesday', have been released addressing a total of 70 vulnerabilities across Microsoft and Windows products.

The latest round of patches include fixes for 17 privilege escalation flaws, 16 remote code execution (RCE) issues, 22 Chromium-based Edge browser flaws, and three security feature bypasses, among others.

None of the vulnerabilities are rated critical - categorised by a CVSSv3.1 score of 8.9 or higher - though there are a significant number that have a score of 8.8, just shy of critical status and categorised as 'important'.

There is also no known active exploitation of any of the 70 vulnerabilities fixed by Microsoft at the time of writing, though proof of concept (PoC) code does exist for a small number of them, meaning businesses should apply patches regardless of the level of exploitation currently.

"It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch," said Dustin Childs at the Zero-Day Initiative. 

"It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured."

Among the most severe of the 70 bugs addressed in this week's update are issues related to Microsoft SharePoint, an assortment of Windows 10 and Windows Server versions, Azure Data Explorer, and Visual Studio code

Patch Tuesday highlights

Windows DNS Server RCE Vulnerability - CVE-2022-21984

Given a score of 8.8/10, this RCE flaw is among the most severe in this week's patch list and is considered by Microsoft to be a low complexity attack, require low levels of privileges in order to execute, and could result in "a total loss of availability". If exploited, the attacker could fully deny access to resources in the impacted component.

Qualys said: "the server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might entirely take control of your DNS and execute code with elevated privileges if you have this set up in your environment."

Windows Kernel Elevation of Privilege Vulnerability - CVE-2022-21989

Although on the lower-end of the severity scores with a CVSSv3.1 rating of 7.8/10, this privilege escalation flaw has PoC available which led Microsoft to describe this particular vulnerability as more likely to be exploited. 

It also noted this is a high complexity attack and likely only able to be carried by a sophisticated threat actor given that exploitation success is dependent on conditions beyond the attacker's control. 

"A successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected," said Microsoft.

Given the local attack vector, a hacker would either need physical access to the target machine via its own connected keyboard and mouse. Alternatively, a remote  attack could feasibly work via SSH remote access or tricking a user into opening a malicious document. 

Microsoft SharePoint Server RCE Vulnerability - CVE-2022-22005

Another of the "more likely" vulnerabilities patched in this update is an 8.8/10-rated RCE flaw affecting Microsoft SharePoint Server. A low complexity attack requiring low levels of privileges, Microsoft said "an attacker can expect repeatable success against the vulnerable component" due to the absent specialised access conditions or extenuating circumstances required to achieve exploitation.

Windows administrators can access the updates via Microsoft Update Catalogue.

Patch Tuesday problems

January's Patch Tuesday caused somewhat of an uproar among Windows administrators last month which led many to forgo the myriad security patches released by Microsoft, including a number of zero-day vulnerabilities

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

Online discussions revealed many admins were complaining that updates were breaking core components of their business environments and some uninstalled the updates entirely to resume normal order. 

Experts at the time commented that security patches are almost always recommended to be applied as soon as they become available, but it "is very much a question of risk management and risk assessment," according to Andy Norton, European cyber risk officer at Armis.

It's not generally advised to ignore security updates, but if they are causing more disruption than they potentially may fix, then businesses may feel it would be better to wait a month for a more stable version to be released.

"January’s patch release may have left some IT teams feeling somewhat sour as Microsoft had to re-issue updates to fix some unexpected issues caused by the updates," said Kev Breen, director of cyber threat research at Immersive Labs to IT Pro in relation to today's patches. 

"This should not be used as an excuse to skip updates, but it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022