Microsoft fixes three zero-days in March Patch Tuesday update

None of the publicly disclosed bugs appears to be actively exploited in attacks

Microsoft has released its March 2022 Patch Tuesday update, addressing a total of 71 security vulnerabilities, including three zero-days.

In addition to these bugs, Microsoft has also fixed 21 security holes in its Chromium-based Edge browser, bringing the total of vulnerabilities fixed this month to 92.

Of all the flaws addressed, three (CVE-2022-22006, CVE-2022-24501 and CVE-2022-23277) are listed as 'critical' as they could allow a malicious actor to remotely execute code on a vulnerable machine.

The rest are 'important' vulnerabilities in terms of severity.

Products impacted by this month's security update include Windows CD-ROM Driver, Microsoft Windows Codecs Library, Paint 3D, .NET and Visual Studio, Azure Site Recovery, Microsoft Defender for IoT, Microsoft Exchange Server, Microsoft Office Visio, Microsoft Office Word, Visual Studio Code, Windows Installer, Windows Kernel, Xbox and others.

The March security update includes patches for 29 remote code execution (RCE) vulnerabilities, 25 elevation of privilege (EoP) bugs, six information disclosure bugs, four denial of service bugs, three spoofing bugs, and three security feature bypass bugs.

The publicly disclosed zero-days fixed this month are CVE-2022-21990 (Remote Desktop Client RCE bug); CVE-2022-24459 (Windows Fax and Scan Service EoP bug); and CVE-2022-24512 (.NET and Visual Studio RCE bug).

While none of them has been used in active attacks, public proof-of-concept (PoC) exploits are available for CVE-2022-21990 and CVE-2022-24459.

Microsoft considers CVE-2022-24512 and CVE-2022-24459 as 'exploitation less likely' bugs, while CVE-2022-21990 is rated as 'exploitation more likely' vulnerability.

Because 2022-21990 is listed as a publicly known bug, admins are advised to patch the weakness immediately. If a malicious actor can convince a vulnerable RDP client to connect to their RDP server, they will be able to trigger code execution on the targeted client.

CVE-2022-23277, a RCE vulnerability affecting Microsoft Exchange Server, is perhaps the most concerning critical bug fixed this month. This vulnerability could enable an authenticated actor to run code with elevated privileges through a network call, and is definitely one to prioritise.

Another vulnerability of interest that Microsoft believes is more likely to be targeted by threat actors is CVE-2022-24508, an RCE vulnerability impacting Windows SMBv3 Client/Server, the technology that handles file sharing in Windows systems.

Commenting on the March Microsoft Patch Tuesday, Kev Breen, director of cyber threat research at Immersive Labs said: "First, it's good to note that this is another month with no Microsoft vulnerabilities reported as being actively exploited in the wild.

"With the increase in remote working driving the expansion of the attack surface presented by RDP, a trio of RCE vulnerabilities affecting this protocol should be on security teams' radar.

"Critical vulnerability CVE-2022-23277 should also be a concern. While requiring authentication, this vulnerability affecting on-prem Exchange servers could potentially be used during lateral movement into a part of the environment which presents the opportunity for business email compromise or data theft from email.

"Three privilege escalation vulnerabilities, CVE-2022-23286, CVE-2022-24507 and CVE-2022-23299 which could form the connective tissue in any multi-stage attack, are marked as more likely to be exploited and also therefore warrant interest. "

Last month, Microsoft addressed a total of 48 security vulnerabilities (not including Microsoft Edge vulnerabilities) - the smallest number of security fixes since August 2021.

The update included a patch for a zero-day bug that was not actively exploited in attacks. No critical-severity flaw was fixed by Microsoft in February 2022 security update.