Microsoft Fixes Bugs, Two Zero-Days With December Patch Tuesday Update

Microsoft released its final security update of 2022 on Tuesday, and it features fixes for two zero-day vulnerabilities, and for a total of 49 flaws.

According to Bleeping Computer, the December patch update fixed vulnerabilities that are considered as critical because they allow remote code executions.

The Latest Security Patch Rollout Addresses Fewer Bugs Than In Recent Months

During December, Microsoft launches typically fewer updates and patches than any other months, and this year, it has the smallest monthly release for the company.

This month's security update prioritized the CVE-2022-44698 vulnerability, which is a flaw that lets attackers create a malicious file to evade Mark of The Web (MOTW) defenses.

This results in a limited loss of integrity and availability of security features like the Protected View in Microsoft Office.

Tech Target says that the main purpose of this flaw is to let threat actors bypass the reputation check, which lets them deliver phishing prompts easily.

The danger of this flaw is that it can be hosted by a hacker on a website or send it to users' emails or instant messaging to convince them to click on whatever link they provide.

The second vulnerability addressed is the CVE-2022-44710, which can be found in the DirectX Graphics Kernel in Windows 11.

This vulnerability can lead to a full access of a computer system if hackers are able to exploit it, but luckily, there has not been a report of this happening yet.

Read More:

Microsoft Provides A List Of Other Critical Vulnerabilities Addressed By The New Patch

Along with these two, which are the main concerns that Microsoft addressed with the December patch, are other critical items including the following:

• CVE-2022-41127: Remote code execution vulnerability in Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (on premises).

• CVE-2022-44693: Remote code execution vulnerability in Microsoft SharePoint Server.

• CVE-2022-44690: Remote code execution vulnerability in Microsoft SharePoint Server.

• CVE-2022-41076: Remote code execution vulnerability in PowerShell.

• CVE-2022-44670:  Remote code execution vulnerability in Windows Secure Socket Tunneling Protocol (SSTP).

• CVE-2022-44676:  Remote code execution vulnerability in Windows Secure Socket Tunneling Protocol (SSTP).

According to Tech Target, the December security patch, while small and low-key, addresses browser-based vulnerabilities that make Windows users easy to target.

This is the reason users should always make sure that their browsers are always up to date whenever a Windows maintenance is happening.

Many companies are worried that crime organizations are targeting computers through their web browsers especially during the holidays.

This is why the December security patch Windows provided came just about the right time to try and solve everything that may compromise users' safety given the specific risks.

Additionally, Bleeping Computer lists the number of bugs in each vulnerability category below:

• 19 Elevation of Privilege Vulnerabilities

• 2 Security Feature Bypass Vulnerabilities

• 23 Remote Code Execution Vulnerabilities

• 3 Information Disclosure Vulnerabilities

• 3 Denial of Service Vulnerabilities

• 1 Spoofing Vulnerability

Aside from this, Redmond Mag reports that the launch of the final patch for Windows in 2022 also signaled the official loss of support for Windows 10 version 21H1.

With this, devices with this version of Windows will not receive new updates anymore, which is why users are advised to migrate to newer versions of Windows.

Related Article: