December 13 was Patch Tuesday, and Microsoft used the opportunity to squash a lot of bugs in Windows and in other “products, features and roles.” The December 2022 Security Updates list includes patches for .NET Framework, Azure, Client Server Run-time Subsystem (CSRSS), Microsoft Office, SysInternals applications, Microsoft Dynamics, and of course many components found in different versions of Windows. The number of bugs fixed with December’s Patch Tuesday totals 49, six of which are classified as “Critical” which is the highest threat level. The flaws include 19 elevation of privilege vulnerabilities, two security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, three information disclosure vulnerabilities, three denial of service vulnerabilities and one spoofing vulnerability.
Moreover, the latest Patch Tuesday fixes two zero day-type flaws. The actively exploited zero day of the month is Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698), which could be used to evade Mark of the Web (MOTW) defenses (the warning box shown by Defender SmartScreen when the user tries to run an unknown exe downloaded from the internet) with malicious JavaScript files to run and install malware from remote servers. The publicly disclosed vulnerability Microsoft addressed was a DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710), which could be exploited by a malicious actor to gain SYSTEM privileges after winning a race condition. A complete list of all solved vulnerabilities and advisories has been published by Bleeping Computer and is available here. Windows Security Updates for the month are already available through the official Windows Update service, update management systems such as WSUS, and as direct downloads from the Microsoft Update Catalog. Other companies releasing their security updates in sync with Microsoft’s Patch Tuesday include Cisco, Citrix, Fortinet, Google, and SAP.