Security News > 2022 > March > March 2022 Patch Tuesday: Microsoft fixes RCEs in RDP client, Exchange Server
Microsoft marks March 2022 Patch Tuesday with patches for 71 CVE-numbered vulnerabilities, including three previously unknown "Critical" ones and three "Important" ones that were already public.
"If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client," says Dustin Childs, with Trend Micro's Zero Day Initiative.
Among the critical vulnerabilities, a RCE in Microsoft Exchange Server also deserves immediate attention.
CVE-2022-22006 and CVE-2022-24501, two RCEs in the HEVC and VP9 Video Extensions might be critical because of their effect, but the updates for the apps are pushed automatically by the Microsoft Store, so customers needn't worry about patching those - if they haven't disabled automatic updates for the Microsoft Store, that is.
CVE-2022-24508, a Windows SMBv3 Client/Server RCE vulnerability, "Also seems to be one to watch out for, especially as Microsoft has marked it 'exploitation more likely' and provided additional mitigations," says Kevin Breen, Director of Cyber Threat Research at Immersive Labs.
Finally, CVE-2022-23278, a spoofing vulnerability affecting Microsoft Defender for Endpoint for all platforms, deserves a special mention even though attackers must gather information specific to the environment of the targeted component before being able to exploit it.
News URL
https://www.helpnetsecurity.com/2022/03/08/march-2022-patch-tuesday/
Related news
- 'Patch yesterday': Zimbra mail servers under siege through RCE vuln (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- November 2024 Patch Tuesday forecast: New servers arrive early (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-09 | CVE-2022-24508 | Unspecified vulnerability in Microsoft products Win32 File Enumeration Remote Code Execution Vulnerability | 8.8 |
| 2022-03-09 | CVE-2022-24501 | Unspecified vulnerability in Microsoft VP9 Video Extensions VP9 Video Extensions Remote Code Execution Vulnerability | 7.8 |
| 2022-03-09 | CVE-2022-23278 | Unspecified vulnerability in Microsoft products Microsoft Defender for Endpoint Spoofing Vulnerability | 5.9 |
| 2022-03-09 | CVE-2022-22006 | Out-of-bounds Write vulnerability in Microsoft Hevc Video Extensions HEVC Video Extensions Remote Code Execution Vulnerability | 7.8 |