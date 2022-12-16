



Microsoft marked the last Patch Tuesday of the year by rolling out patches for 52 vulnerabilities. Meanwhile, Apple also revealed details of an actively exploited zero-day iOS vulnerability that was fixed in an update two weeks ago.

While December’s patch load is the lowest of the year, 2022’s cumulative fixes of over 1,250 are the second highest of the company’s annual patch load. This is his last patch Tuesday of 2022, and while it’s not nearly as major as last month’s update, he’s still finishing the year off with a bang, says HighGround.io CEO Mark Lamb. tells Spiceworks.

2 zero-days and 6 critical flaws that provide criminals with remote code execution, privileged access, denial of service, and more. This means that this is a major update and organizations should patch it as soon as possible.

Of the 53 patches released in the December Patch Tuesday run, 6 were rated Critical, 43 were rated Important, and 3 were rated Moderately Critical. Microsoft also fixed two zero-day vulnerabilities. One of them was being actively exploited.

Let’s take a look at some of the most important ones highlighted by the experts.

Zero-day vulnerability fixes in December Patch Monthly

CVE-2022-44698

CVE-2022-44698 falls into the medium severity category with a CVSS score of 5.4, but is being actively exploited, so patching this bug should be your priority. His CVSS risk score for this zero day is a moderate 5.4. Because it only helps evade Microsoft Defender SmartScreen defense mechanisms that don’t have RCE or DoS capabilities, Mike Walters, vice president of vulnerability and threat research at Action1, told his Spiceworks.

This is a Windows SmartScreen security feature bypass flaw in all OS versions starting with Windows 7 and Windows Server 2008 R2. Vulnerability complexity is low. It uses network vectors and does not require privilege escalation, Walters added.

However, user interaction is required. Attackers must use phishing emails and other forms of social engineering to trick victims into visiting malicious websites in order to exploit security feature bypasses. Attackers can craft malicious files that circumvent Mark of the Web (MOTW) defenses. The result is a limited loss of integrity and availability of security features that rely on MOTW tagging, such as Protected View in Microsoft Office.

Peter Pflaster, Technical Product Marketing Manager at Automox, told Spiceworks: Neither of them got his CVSS score particularly high, but it should be fixed within 24 hours as a socially engineered user could open a malicious file that bypasses the Mark of the Web security feature. is recommended.

A proof of concept for CVE-2022-44698 has not yet been published.

The second zero-day bug Microsoft fixed in December was CVE-2022-44710, an elevation of privilege vulnerability in the DirectX Graphics Kernel. CVE-2022-44710 has a CVSS score of 7.8

Successful exploitation of CVE-2022-44710 requires an attacker to win a race condition and gain system privileges.

Details: Google Releases Emergency Patch for Ninth Zero-Day Chrome Vulnerability of 2022

Critical Vulnerability Patches for December Patch Monthly

Microsoft fixed two vulnerabilities in SharePoint and tracked them down, CVE-2022-44690 and CVE-2022-44693.

CVE-2022-44690 and CVE-2022-44693 (CVSS score 8.8) are both remote code execution vulnerabilities affecting all SharePoint versions starting with MS SharePoint Enterprise Server 2013 SP 1.

this [CVE-2022-44693] It has low complexity, uses network vectors, and does not require privilege escalation. To exploit this, Walters said all he needed was access to a basic user account with the Manage Lists privilege that most companies grant to all his SharePoint users by default. This vulnerability does not require user interaction. Once an attacker has the proper credentials, they can remotely execute code on her target SharePoint server.

CVE-2022-41089 (CVSS score 8.8) for .NET Framework versions 3.5 through 4.8. Walters explained that it has low complexity, uses network vectors, and does not require privilege escalation. Walters said the only reason Microsoft didn’t assign a score of 10 is because the user would have to interact with the attacker’s environment in some way, such as visiting a malicious site.

CVE-2022-41076 (CVSS score 8.5) is an RCE flaw in Windows PowerShell that has low attack complexity and no user interaction. CVE-2022-41076 affects PowerShell 7.2 and 7.3, certain Windows (7, 8.1, 10, and 11) and Windows Server versions listed here.

By executing a malicious script via PowerShell, a malicious actor can leverage an authenticated user to trigger this vulnerability, opening a vulnerability that requires administrator or other elevated privileges. can be avoided. Gina Geisel, product marketing manager at Automox, told Spiceworks that an authenticated attacker could execute unauthorized commands on a targeted system.

iOS vulnerability fix

In addition to the December Patch Tuesday update, Apple also revealed an actively exploited zero-day iOS vulnerability. Apple fixed the vulnerability through a patch update to iOS 16.1.2 a few weeks ago.

Apple says it is aware of reports that this issue may have been actively exploited against versions of iOS released prior to iOS 15.1.

A security flaw (CVE-2022-42856) discovered by Clment Lecigne of Google’s threat analysis group affected WebKit, the web rendering engine that powers the Safari browser and other apps. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2022-42856 is the tenth zero-day vulnerability discovered in Apple devices in 2022.

According to Apple, CVE-2022-42856 only works on iOS 15.1 and earlier versions. Nonetheless, the company has rolled out security updates for nearly all devices.The latest devices require the following OS versions: .2.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. I look forward to hearing from you.

Image Source: Shutterstock

Learn more about vulnerability management

Sources 1/ https://Google.com/ 2/ https://www.spiceworks.com/it-security/vulnerability-management/news/microsoft-december-patch-tuesday-updates/ The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos