In this month’s Patch Tuesday, Microsoft will fix no fewer than 92 vulnerabilities. Three of them were previously unknown, and with three, it is possible to run code remotely, which makes quick patching recommended.
Microsoft’s monthly update rollup addresses 21 security vulnerabilities in Edge and 71 more in the rest of Windows and operating system components or software, ranging from Windows Defender to Visual Studio Code, a CD-ROM driver, Windows Kernel, Xbox, Intune, Exchange Server and many others.
Three vulnerabilities, CVE-2022-22006, CVE-2022-24501, and CVE-2022-23277, are classified as “critical” because, among other things, they allow remote code execution, making them extra dangerous to outside hacks. The rest are labelled ‘important’.
The list also includes three zero-day vulnerabilities, which are security issues that have not been publicly documented before. These are CVE-2022-21990 (Remote Desktop Client RCE bug), CVE-2022-24459 (Windows Fax and Scan Service EoP bug), and CVE-2022-24512 (.NET and Visual Studio RCE bug). Microsoft expects that the first one, in particular, can be easily abused, so Microsoft recommends patching it as soon as possible.
With CVE -2022-21990, it is possible to execute code remotely (remote code execution or RCE) on the victim’s device via a Remote Desktop connection when it connects to the attacking server.
The full list of all CVE codes and associated technical information can be found in the Microsoft Security Response Center.