Security News > 2022 > February > No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day

Oh, blessed day: Microsoft's Patch Tuesday is a featherweight in comparison to some of its not-atypical, 10-ton security updates, with just 51 patches - none of them rated critical.

February's patch-a-palooza is light not just in number of CVEs, but also in that it comes with nary a single patch that's labeled critical.

"It may have happened before, but I can't find an example of a monthly release from Microsoft that doesn't include at least one critical-rated patch," Childs wrote in ZDI's Patch Tuesday analysis.

It follows the big batch that Microsoft baked for its January 2022 Patch Tuesday, when it addressed a total of 97 security vulnerabilities, including nine critical CVEs - one of which is a self-propagator with a 9.8 CVSS score, and six of which were listed as publicly known zero-days.

CVE-2022-21995 - Windows Hyper-V Remote Code Execution Vulnerability: "This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as high here, stating an attacker, 'must prepare the target environment to improve exploit reliability.' Since this is the case for most exploits, it's not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it's recommended to treat this as a critical update."

Apply Patches ASAP. In spite of the fact that there were no critical CVEs nor active exploits called out in the February Patch Tuesday release, security pros recommended, as they always do, that the patches should be applied as soon as possible.

News URL

https://threatpost.com/microsoft-february-patch-tuesday-zero-day/178286/