IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Patch Tuesday fixes Windows 11 system reset bug

A host of fixes are available to Windows administrators as Microsoft patches three critical RCEs flaws

Microsoft has released this month’s score of patches for Windows security flaws, fixing a bug found in February that prevented some users from erasing all their files after a system reset.

The Windows manual reset option is designed to effectively restore a device to its factory-shipped settings, removing user data. Microsoft published a workaround at the time, but the updates to Windows 11 and Windows 10 released on Tuesday will eliminate the bug, though Microsoft did say it may take up to seven days for the changes to take effect. 

A total of 92 vulnerabilities were patched across Windows and other Microsoft products, including three critical-rated remote code execution (RCE) vulnerabilities and three security feature bypass flaws.

Two of the critical-rated flaws affected Video Extensions for advertisements, tracked as CVE-2022-24501 and CVE-2022-22006, and both were able to be exploited to achieve RCE with a ‘low’ attack complexity.

In both cases, an attacker would need to convince a user to download a specially crafted file that would lead to a crash. Successful attackers would also need local access to a victim’s machine, either via its mouse and keyboard or a secure shell connection (SSH).

The other critical flaw, tracked as CVE-2022-23277, is a remote code execution vulnerability in Microsoft Exchange Server with a low degree of attack complexity and low privileges required to exploit. In all three cases, there is no known exploit code available, but patching is still recommended, especially for security vulnerabilities of this severity.

“The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server,” said Greg Wiseman, lead product manager at Rapid7. 

“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.

A total of 29 RCE vulnerabilities were addressed in Microsoft’s March ‘Patch Tuesday’, and three of the total 92 flaws had been previously disclosed. 

Related Resource

Successful WAN and security transformation powers the digital enterprise

Applications are delivered in the cloud - security should be too

Dark grey whitepaper cover with white title and circular graphics in pink stripes and a lighter greyFree Download

Of these three previously known issues, both CVE-2022-21990 and CVE-2022-24459, RCE and privilege escalation vulnerabilities respectively, have known proofs-of-concept (PoC) available but no exploitation has been observed in the wild.

The final known vulnerability was an RCE flaw affecting .NET and Visual Studio; this has also now been patched but no PoC code is thought to have been developed, Microsoft said. It would be difficult to exploit this vulnerability alone, and would be more likely used as part of a chained attack, it added.

Other vulnerabilities such as privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing flaws were also found across Microsoft’s products. All updates are available in the Microsoft Update Catalog now.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Microsoft launches low-code Power Pages for 'intuitive' web development
web development

Microsoft launches low-code Power Pages for 'intuitive' web development

24 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022