Microsoft Building
News

Microsoft fixed 71 vulnerabilities and three 0-day bugs in its products

Jim Koohyar Biniyaz
Microsoft Building

This week, Microsoft released the March patch kit and fixed three zero-day vulnerabilities, fixing a total of 71 vulnerabilities in its products (not counting 21 vulnerabilities in Microsoft Edge).

One of the biggest issues this month is the RCE vulnerability in Microsoft Exchange Server, identified as CVE-2022-23277 . This bug reportedly allows an authenticated user to “run malicious code in the context of a server account through a network call.” Sophos Lab experts note :

“Given the pattern we’ve seen recently with respect to attacks on other Exchange vulnerabilities, the critical severity and nature of this vulnerability makes this one requiring patching as soon as possible.”

Two other critical RCE bugs fixed this month affect Microsoft Video Extensions. One of them,  CVE-2022-24501 , has been found in the VP9 Video Extensions app available from the Microsoft Store. An attacker can convince a user to open a malicious video file, which will eventually lead to the execution of the code hidden in the video. Similarly,  CVE-2022-22006  is a remote code execution vulnerability in HEVC Video Extensions that can be exploited in a similar way.

In addition, Microsoft has released fixes for  a number of other products including Office, Windows, Internet Explorer, Defender, and Azure Site Recovery. Zero Day Initiative experts, who have traditionally  published a review of the fixed bugs, highlight the following among them:

  • CVE-2022-21990 : Remote code execution. It is possible to hijack someone else’s PC through an RDP client when connected to a malicious server. Details about this vulnerability are already publicly available and, according to the Zero Day Initiative, the bug should be considered critical.
  • CVE-2022-24508 : Remote code execution. An authenticated user can execute malicious code on Windows 10 version 2004 and later through SMBv3. Experts also advise considering this problem critical.
  • CVE-2022-24512 : Remote code execution in .NET and Visual Studio. The details of the bug are public.

It should also be noted that other larger companies have introduced updates for their products, including:

  • Google  introduced the March security updates for Android;
  • Cisco  has released updates for many products, including Cisco Cisco FXOS and NX-OS, StarOS, and Cisco Application Policy Infrastructure Controller;
  • Adobe has fixed arbitrary code execution and memory leak vulnerabilities.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?