Microsoft Patch Tuesday fixes Windows 11 system reset bug
A host of fixes are available to Windows administrators as Microsoft patches three critical RCEs flaws
Microsoft has released this month’s score of patches for Windows security flaws, fixing a bug found in February that prevented some users from erasing all their files after a system reset.
The Windows manual reset option is designed to effectively restore a device to its factory-shipped settings, removing user data. Microsoft published a workaround at the time, but the updates to Windows 11 and Windows 10 released on Tuesday will eliminate the bug, though Microsoft did say it may take up to seven days for the changes to take effect.
A total of 92 vulnerabilities were patched across Windows and other Microsoft products, including three critical-rated remote code execution (RCE) vulnerabilities and three security feature bypass flaws.
Two of the critical-rated flaws affected Video Extensions for advertisements, tracked as CVE-2022-24501 and CVE-2022-22006, and both were able to be exploited to achieve RCE with a ‘low’ attack complexity.
In both cases, an attacker would need to convince a user to download a specially crafted file that would lead to a crash. Successful attackers would also need local access to a victim’s machine, either via its mouse and keyboard or a secure shell connection (SSH).
The other critical flaw, tracked as CVE-2022-23277, is a remote code execution vulnerability in Microsoft Exchange Server with a low degree of attack complexity and low privileges required to exploit. In all three cases, there is no known exploit code available, but patching is still recommended, especially for security vulnerabilities of this severity.
“The vulnerability most likely to raise eyebrows this month is CVE-2022-23277, a Critical RCE affecting Exchange Server,” said Greg Wiseman, lead product manager at Rapid7.
“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it. Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021. Exchange administrators should still patch as soon as reasonably possible.
A total of 29 RCE vulnerabilities were addressed in Microsoft’s March ‘Patch Tuesday’, and three of the total 92 flaws had been previously disclosed.
Successful WAN and security transformation powers the digital enterprise
Applications are delivered in the cloud - security should be tooFree Download
Of these three previously known issues, both CVE-2022-21990 and CVE-2022-24459, RCE and privilege escalation vulnerabilities respectively, have known proofs-of-concept (PoC) available but no exploitation has been observed in the wild.
The final known vulnerability was an RCE flaw affecting .NET and Visual Studio; this has also now been patched but no PoC code is thought to have been developed, Microsoft said. It would be difficult to exploit this vulnerability alone, and would be more likely used as part of a chained attack, it added.
Other vulnerabilities such as privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing flaws were also found across Microsoft’s products. All updates are available in the Microsoft Update Catalog now.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download