December 2022 Patch Tuesday: 10 Critical CVEs, One Zero-Day, One Under Active Attack

Microsoft has released 49 security patches for its December 2022 Patch Tuesday rollout. Of these, 10 vulnerabilities are rated Critical, two are rated Medium and the rest are rated Important. DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710) is listed as publicly known while Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698) is listed as actively exploited at the time of release.

CVE-2022-44698 has a 5.4 CVSS. For this bug, a file could be created to circumvent the Mark of the Web detection and therefore bypass security features such as Protected View in Microsoft Office. Considering how many phishing attacks rely on end users working with attachments, these protections are essential to preventing malware and other attacks. 

December 2022 Risk Analysis

This month’s leading risk type is remote code execution at 47%, almost double compared with the November Patch Tuesday release, followed by elevation of privilege at 33% (compared to 40% the previous month). The remaining categories make up 6% or less.

Figure 1. Breakdown of December 2022 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (29), followed by Extended Support Updates (16) and Microsoft Office products (14).

Figure 2. Breakdown of product families affected by December 2022 Patch Tuesday

This month, threat actors continued to exploit the vast attack surface that is Windows Print Spooler, now affected by two new bugs. We’ve seen plenty of new patches since PrintNightmare — perhaps we will continue to see new print spooler vulnerabilities in 2023. CVE-2022-44678 and CVE-2022-44681, which have a CVSS of 7.8 and a rating of Important, are being addressed this month. In both cases, the attack vector is Local and user interaction is not required.

Rank CVSS Score CVE Description
Important 7.8 CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability
Important 7.8 CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability

Figure 3. Print Spooler vulnerabilities patched in December 2022

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-day free trial today.

Critical Bugs Affect SSTP, PowerShell and SharePoint Server

For this month’s release, the Critical vulnerability affecting PowerShell stands out. A PowerShell remote code execution vulnerability (CVE-2022-41076) could allow an authenticated user to escape the PowerShell remoting session configuration and run unapproved commands on the targeted system. This could allow threat actors using tools already on a system to maintain access and move laterally throughout the network. 

Next we have two SharePoint server Critical vulnerabilities (CVE-2022-44690 and CVE-2022-44693) both with a CVSS of 8.8 — the highest for this month. In a network-based attack, an authenticated attacker with Manage Lists permissions could execute code remotely on the SharePoint server, gaining the capability to create and delete lists, add or remove columns in a list, and add or remove public views of a list. The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

As listed in Figure 4, there are also two Critical vulnerabilities affecting Secure Socket Tunneling Protocol (SSTP). CVE-2022-44670 and CVE-2022-44676 could allow a remote, unauthenticated attacker to execute code on an affected system by sending a specially crafted connection request to a server with the RAS Server role enabled. If you aren’t using this service, consider disabling it, and if you are using it, we suggest applying the patches promptly.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability
Critical 8.5 CVE-2022-41076 PowerShell Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

Figure 4. Critical vulnerabilities in SSTP, PowerShell and SharePoint Server, December 2022

Other Important Vulnerabilities to Consider

Email client vulnerabilities are not commonly highlighted or considered Critical but CVE-2022-44713, a Microsoft Outlook for Mac spoofing vulnerability, warrants special attention. This bug could enable an attacker to appear as a trusted user when they should not be. This could cause a user to mistakenly trust a signed email message as if it came from a legitimate user. Next on our list is CVE-2022-44704, a Microsoft Windows Sysmon elevation of privilege vulnerability, which could allow a locally authenticated attacker to manipulate information on the Sysinternals services to achieve elevation from local user to SYSTEM admin.

Two Windows kernel bugs are also getting addressed this month. The first, CVE-2022-44683 with a CVSS of 7.8, could be used to elevate privileges to SYSTEM assigned integrity level. Denial of service vulnerability CVE-2022-44707, with CVSS of 6.5, could cause a system to crash, making it inaccessible to its intended users.

Rank CVSS Score CVE Description
Important 7.5 CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability
Important 7.8 CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability
Important 7.8 CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability
Important 6.5 CVE-2022-44707 Windows Kernel Denial of Service Vulnerability

Figure 5. Important vulnerabilities to consider, December 2022

Review Your Mitigation Strategy Before 2022 Ends

With only a couple of weeks left in 2022, it’s important to review your strategy and make sure it integrates with the broader organization’s security goals, not just within security operations. Security and operations teams need layered security and tools that help prevent, detect and identify vulnerabilities and guide them through their patching and assessment process. A fresh and up-to-date mitigation strategy will help to reduce the areas of opportunity for attackers, helping your organization remain as secure as possible and prevent any potential breach.

Learn More

This video on CrowdStrike Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Related Content