Microsoft’s monthly patch drop covers 74 vulnerabilities, including seven that are rated critical and one lower-rated bug that has exploits in the wild.
The company has also upgraded a previously-disclosed vulnerability to critical after an IBM researcher demonstrated an exploit for it.
The critical vulnerabilities in the Patch Wednesday release include a .NET remote code execution (RCE) vulnerability, CVE-2022-41089, for which little detail is offered.
SharePoint Server has been patched for two critical vulnerabilities: CVE-2022-44690, which allows an authenticated attacker to execute code remotely if they have Manage List permissions, and CVE-2022-44693.
There’s also an RCE in PowerShell, CVE-2022-41076.
Microsoft’s advisory stated that while any authenticated user can exploit the bug, it “requires an attacker to take additional actions prior to exploitation to prepare the target environment."
“An authenticated attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system.”
The other critical vulnerabilities are CVE-2022-41127, which affects Dynamics NAV and Dynamics 365 Business Central (on-premises); and two RCEs in the Windows Secure Socket Tunnelling Protocol, CVE-2022-44676 and CVE-2022-44670.
Old vulnerability re-rated
Microsoft has also upgraded a vulnerability first divulged in September to a critical rating.
CVE-2022-37958 is an RCE in the SPNEGO Extended Negotiation (NEGOEX) security mechanism.
IBM X-Force security researcher Valentina Palmiotti posted an exploit demonstration on
Twitter, saying the vulnerability is “reachable via any Windows application protocol that authenticates. Yes, that means RDP, SMB and many more.”