Microsoft’s Patch Tuesday update for March has been made official, and it includes 71 patches for Windows, Office, Exchange, and Defender, among other Microsoft software products.
Three of the 71 patches are classified as Critical, while the remaining 68 are classified as Important. Three of the vulnerabilities are publicly known at the time of release, despite the fact that none of them are actively exploited.
It’s worth noting that earlier this month, Microsoft patched 21 security vulnerabilities in the Chromium-based Microsoft Edge browser.
Remote code execution vulnerabilities affecting HEVC Video Extensions (CVE-2022-22006), Microsoft Exchange Server (CVE-2022-23277), and VP9 Video Extensions (CVE-2022-24501) have all been patched this month.
The Microsoft Exchange Server vulnerability, which was discovered by researcher Markus Wulftange, is notable in that it necessitates the attacker’s authentication in order to exploit the server.
Microsoft said “The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution,”
“As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.”
Kevin Breen, director of cyber threat research at Immersive Labs, said “Critical vulnerability CVE-2022-23277 should also be a concern,”
“While requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email.”
The three zero-day bugs fixed by Microsoft are CVE-2022-24512 (CVSS score: 6.3), CVE-2022-21990 (CVSS score: 8.8) and CVE-2022-24459 (CVSS score: 7.8).
Since the Proof-of-Concept (PoC) exploit is publicly available, Microsoft has labeled CVE-2022-21990 as “Exploitation More Likely,” making it critical to apply the updates as quickly as possible to avert any attacks.
A number of remote code execution flaws in Windows SMBv3 Client/Server, Microsoft Office, and Paint 3D, as well as privilege escalation flaws in Xbox Live Auth Manager, Microsoft Defender for IoT, and Azure Site Recovery, are also significant flaws.
In total, the patches close out of 29 remote code execution flaws, 25 elevation of privilege flaws, six information disclosure flaws, four denial-of-service flaws, three security feature bypass flaws, three spoofing flaws, and one tampering flaw.