This week, Microsoft released the March patch kit and fixed three zero-day vulnerabilities, fixing a total of 71 vulnerabilities in its products (not counting 21 vulnerabilities in Microsoft Edge).
One of the biggest issues this month is the RCE vulnerability in Microsoft Exchange Server, identified as CVE-2022-23277 . This bug reportedly allows an authenticated user to “run malicious code in the context of a server account through a network call.” Sophos Lab experts note :
“Given the pattern we’ve seen recently with respect to attacks on other Exchange vulnerabilities, the critical severity and nature of this vulnerability makes this one requiring patching as soon as possible.”
Two other critical RCE bugs fixed this month affect Microsoft Video Extensions. One of them, CVE-2022-24501 , has been found in the VP9 Video Extensions app available from the Microsoft Store. An attacker can convince a user to open a malicious video file, which will eventually lead to the execution of the code hidden in the video. Similarly, CVE-2022-22006 is a remote code execution vulnerability in HEVC Video Extensions that can be exploited in a similar way.
In addition, Microsoft has released fixes for a number of other products including Office, Windows, Internet Explorer, Defender, and Azure Site Recovery. Zero Day Initiative experts, who have traditionally published a review of the fixed bugs, highlight the following among them:
- CVE-2022-21990 : Remote code execution. It is possible to hijack someone else’s PC through an RDP client when connected to a malicious server. Details about this vulnerability are already publicly available and, according to the Zero Day Initiative, the bug should be considered critical.
- CVE-2022-24508 : Remote code execution. An authenticated user can execute malicious code on Windows 10 version 2004 and later through SMBv3. Experts also advise considering this problem critical.
- CVE-2022-24512 : Remote code execution in .NET and Visual Studio. The details of the bug are public.
It should also be noted that other larger companies have introduced updates for their products, including:
- Google introduced the March security updates for Android;
- Cisco has released updates for many products, including Cisco Cisco FXOS and NX-OS, StarOS, and Cisco Application Policy Infrastructure Controller;
- Adobe has fixed arbitrary code execution and memory leak vulnerabilities.