Microsoft Closes Six Critical Security Gaps
The December patchday also brings a fix for a zero-day vulnerability. In total, Microsoft eliminates 56 vulnerabilities. Windows, Edge, Office, SharePoint, Azure and Hyper-V are among those affected.
Microsoft has released the updates for the last Patch Tuesday of 2022. A total of 56 vulnerabilities are stuck in Microsoft products such as Windows and Office, including six vulnerabilities rated as critical. One vulnerability is also already being actively exploited by hackers.
The zero-day vulnerability is in the Windows SmartScreen security feature. According to the company, the flaw can be exploited with a specially crafted file that bypasses the Mark of the Web protection mechanism – meaning Windows does not recognize that these files actually come from an insecure source and does not warn against their execution.
However, an attacker has to trick a victim into visiting a website under his control. Alternatively, an email can be provided with a specially crafted URL that points to a manipulated file. Such a file could also be hosted on a legitimate service such as Microsoft OneDrive or Google Drive.
Remote execution of malicious code
The six critical vulnerabilities each allow malicious code to be injected and executed remotely. This allows Windows, SharePoint Server, Dynamics 365 Business Central and Dynamics NAV to be abused. In addition, the .NET Framework, Azure, Office, OneNote, Outlook, Visio, Hyber-V, Edge, the Microsoft Bluetooth drivers and various Windows components such as the kernel, PowerShell, DirectX, print queue and subsystem for Linux are also vulnerable.
As always, the patches are distributed via Windows Update. Users of Windows 10 and Windows 11 receive the monthly cumulative update, which also contains non-security-related bug fixes in addition to the security patches. However, the updates can also be obtained via the Microsoft Update Catalog or the Windows Server Update Services (WSUS).