Microsoft on Tuesday released patches for 48 vulnerabilities in seven Microsoft product families. This includes 6 Critical-class issues affecting Microsoft Dynamics, SharePoint, and Windows.
Of the 53 patches released in the December Patch Tuesday run, six are rated critical, 43 are rated important, and three are rated moderately severe. Microsoft also fixed two zero-day vulnerabilities, one of which was under active exploitation.
RCE vulnerabilities in Microsoft SharePoint Server that both received a CVSSv3 score of 8.8. An authenticated attacker with permission to use Manage Lists in SharePoint could exploit these vulnerabilities to execute code remotely
“To exploit it, attackers only need access to the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default,” warned Walters.
Talos researchers also pointed out six important vulnerabilities that Microsoft considers to be “more likely” to undergo exploitation:
- CVE-2022-41121: Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2022-44671: Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2022-44673: Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability
- CVE-2022-44675: Windows Bluetooth Driver Elevation of Privilege Vulnerability
- CVE-2022-44683: Windows Kernel Elevation of Privilege
Install updates from vendor’s website.Vulnerable software versions
Microsoft SharePoint Server Subscription Edition: All versions
Microsoft SharePoint Foundation: 2013 Service Pack 1
Microsoft SharePoint Enterprise Server: 2013 Service Pack 1 – 2016