The February 2022 Security Update Review

February 08, 2022 | Dustin Childs

It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2022

For February, Adobe released five bulletins addressing 17 CVEs in Adobe Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush. Two of these 17 were reported by ZDI Vulnerability Researcher Mat Powell. The update for Illustrator fixes a total of 13 bugs, the most severe of which could allow arbitrary code execution through either a buffer overflow or an Out-Of-Bounds (OOB) Write. The patch for Creative Cloud Desktop also fixes a single, Critical-rated code execution bug.

The theme of Critical-rated code execution bugs continues with the fix for After Effects. This patch addresses an OOB write bug that exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. The final Critical-rated patch from Adobe this month fixes a buffer overflow in Photoshop that could allow code execution.

The only Moderate-rated patch this month is the update for Premiere Rush. This patch fixes a bug that exists within the parsing of JPEG images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2022

For February, Microsoft released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program. This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.

This volume is in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs. What’s more curious about this release is the complete lack of Critical-rated patches. Of the patches released today, 50 are rated Important and one is rated Moderate in severity. It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch. It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured.

None of the bugs are listed as under active exploit this month, while one is listed as publicly known at the time of release. Last month, Microsoft also initially listed the release as having no active attacks only to revise CVE-2022-21882 two days post release to indicate “Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.” We’ll update this blog should they change their mind this month as well.

Let’s take a closer look at some of the more interesting updates for this month, starting with a significant bug in the Windows DNS Server:

-       CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.

-       CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target's IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.

-       CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.

-       CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.

Here’s the full list of CVEs released by Microsoft for February 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability Important 7.9 No No RCE
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21986 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability Important 8.1 No No Spoofing
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability Important 6.9 No No Spoofing
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important 5.9 No No SFB
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability Important 4.3 No No SFB
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability Moderate 5.3 No No Tampering
CVE-2022-0452 * Chromium: CVE-2022-0452 Use after free in Safe Browsing High N/A No No N/A
CVE-2022-0453 * Chromium: CVE-2022-0453 Use after free in Reader Mode High N/A No No N/A
CVE-2022-0454 * Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE High N/A No No N/A
CVE-2022-0455 * Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode High N/A No No N/A
CVE-2022-0456 * Chromium: CVE-2022-0456 Use after free in Web Search High N/A No No N/A
CVE-2022-0457 * Chromium: CVE-2022-0457 Type Confusion in V8 High N/A No No N/A
CVE-2022-0458 * Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip High N/A No No N/A
CVE-2022-0459 * Chromium: CVE-2022-0459 Use after free in Screen Capture High N/A No No N/A
CVE-2022-0460 * Chromium: CVE-2022-0460 Use after free in Window Dialog Medium N/A No No N/A
CVE-2022-0461 * Chromium: CVE-2022-0461 Policy bypass in COOP Medium N/A No No N/A
CVE-2022-0462 * Chromium: CVE-2022-0462 Inappropriate implementation in Scroll Medium N/A No No N/A
CVE-2022-0463 * Chromium: CVE-2022-0463 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0464 * Chromium: CVE-2022-0464 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0465 * Chromium: CVE-2022-0465 Use after free in Extensions Medium N/A No No N/A
CVE-2022-0466 * Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform Medium N/A No No N/A
CVE-2022-0467 * Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock Medium N/A No No N/A
CVE-2022-0468 * Chromium: CVE-2022-0468 Use after free in Payments Medium N/A No No N/A
CVE-2022-0469 * Chromium: CVE-2022-0469 Use after free in Cast Medium N/A No No N/A
CVE-2022-0470 * Chromium: CVE-2022-0470 Out of bounds memory access in V8 Low N/A No No N/A

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the additional remote code execution bugs in this month’s patch release, the updates for HVEC and VP9 video extensions. Microsoft indicates this requires the exploit to be local. However, they also state viewing a specially crafted image file could result in Windows Explorer crashing. If this is the case, it stands to reason the image file could also be hosted on an SMB share, which would make this a remote exploit vector rather than local. The updates for these extensions can be found in the Microsoft Store, so you really only need to verify you have the updated versions unless you are in a disconnected environment.  

In addition to those already mentioned, there are nine additional remote code execution-related patches this month. There’s an update for Roaming Security Rights Management Services, but Microsoft offers no information on how an attacker could exploit this vulnerability. There are also no details for the Windows Runtime or the Mobile Device Management bug. If you’re using Windows for MDM, definitely take this update seriously. There are also a couple of open-and-own Office bugs getting fixed. The RCE bugs are rounded out by updates for Dynamics 365 (on-prem) and Dynamics GP.

Speaking of Dynamics GP, there are three patches fixing elevation of privilege (EoP) bugs in the component. Those are three of the 18 EoP patches in this month’s release. This includes an update for the Windows Kernel that is listed as publicly known. The remaining patches are mostly in other Windows components and require a logged-on user to execute a specially crafted program. The other EoP updates that stand out fix vulnerabilities in the Windows Print Spooler. Ever since PrintNightmare, the print spooler has been an attractive target for attackers and researchers alike. Pay special attention to CVE-2022-21999 since it was reported during the Tianfu Cup. Other bugs associated with this contest have been used in active attacks.

Moving on to the Security Feature Bypass (SFB) updates, there are two in addition to the previously mentioned one in Outlook for Mac. The bug in OneDrive for Android requires physical access to an unlocked phone but could allow an attacker to access OneDrive files while bypassing authentication. Really, if an attacker has access to your unlocked Android, this bug is probably the least of your concerns. The SFB for SharePoint is more severe since it could allow an attacker to bypass the blocking of HTTP requests based on IP range.

There are five patches fixing Denial-of-Service (DoS) bugs in this month’s release, and the one for Microsoft Teams stands out. While Microsoft provides no details about the exploit, it does indicate all versions of Teams need an update, including iOS and Android versions. The DoS in Hyper-V server should also be noted as successful exploitation could affect functionality of a Hyper-V host. The DoS vulnerability in .NET affects applications using the Kestrel web server. If you aren’t familiar with it, Kestrel is a cross-platform server within ASP.NET Core and is enabled by default. If you’re using Kestrel as an Internet-facing server, definitely apply this patch to prevent a DoS while handling certain HTTP/2 and HTTP/3 requests.

The February release contains three patches for spoofing bugs. There’s a patch for Azure Data Explorer. To receive the update, you will need to restart the Kusto.Explorer application. Dynamics GP receives an update here that could almost be considered code execution. While the vulnerability is in the web server, successful exploitation could allow malicious scripts to execute in the user’s browser on the target machine. And while spoofing bugs in SharePoint usually mean some form, the bug getting patched this month is different. An authenticated attacker could manipulate a SharePoint page they control to trick targeted users into sending attacker-controlled requests to the server under the permissions context of the target.

The lone Moderate-rated patch this month addresses a tampering bug in the Edge (Chromium-based) web browser.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on March 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!