Virtual Administrator’s December 2022 Patch Recommendations
This month Microsoft released patches for 52 vulnerabilities with 6 rated “Critical” in severity.
Deferring KB5012170 for Windows 11 22H2. All other patches will be approved in our patch policy.
- Top of your list this month should be CVE-2022-44698. It can bypass the Windows SmartScreen security feature and is being exploited.
- Publicly disclosed CVE-2022-44710 is an elevation of privilege vulnerability affecting the DirectX graphics kernel on Windows 11 22H2 systems.
- Another critical bug is CVE-2022-41076, a PowerShell Remote Code Execution vulnerability.
- CVE-2022-44690 is a Remote Code Execution vulnerability in Microsoft SharePoint Server.
- Security Advisory ADV220005 “Guidance on Microsoft Signed Drivers Being Used Maliciously” is fixed with the Cumulative Updates/Monthly Rollups.
- A few Known Issues are detailed below. The ODBC SQL Server Driver problem affects all versions of Windows. It was caused by the November updates but not reported until December 5th. Vulnerable systems should have already experienced the errors.
Deferring KB5012170 for Windows 11 22H2
We have seen reports KB5012170 causing a BSOD. We will track Microsoft’s progress fixing and hope to approve in January 2023. Microsoft promises “this issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.”
KB5012170: Security update for Secure Boot DBX
KB5012170 might fail to install and you might receive a 0x800f0922 error
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2#2883msgdesc
Symptom: When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.
Actions: This issue can be mitigated on some devices by updating the UEFI bios to the latest version before attempting to install this update.
If the command lists a task, then the app might be affected.
Status: We are working on a resolution and will provide an update in an upcoming release.
FYI – No Preview releases this month
Per Microsoft: “Because of minimal operations during the holidays and the upcoming Western new year, there won’t be a non-security preview release for the month of December 2022. There will be a monthly security release (known as a “B” release) for December 2022. Normal monthly servicing for both B and non-security preview releases will resume in January 2023.”
Head Up! Microsoft will “break up” with IE11 on Valentine’s Day 2023
Internet Explorer 11 desktop app retirement FAQ
“The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023”
Disclosed: CVE-2022-44710
Exploited: CVE-2022-44698
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV220005 | Guidance on Microsoft Signed Drivers Being Used Maliciously (Published:12/13/2022)
https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
Summary: Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no compromise has been identified. We’ve suspended the partners’ seller accounts and implemented blocking detections to help protect customers from this threat.
Recommended Actions: Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks
Known Issues
A few known issues are listed below affecting Windows Server 2019/2022 and Windows 11 22H2. The ODBC SQL Server Driver problem affects all versions of Windows but was introduced with the November updates.
“WPF apps may have a change in behavior”
Affects: Windows 11 22H2
Symptom: After installing this update, WPF apps may have a change in behavior. For more information about this issue, see KB5022083
Workaround: To mitigate this issue, see KB5022083.
KB5022083 Change in how WPF-based applications render XPS documents
“Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM)”
Affects: Windows Server 2019/2022 (KB5021237,KB5021249)
Symptom: After installing this update on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM) with a Network Adapter joined to a VM network. Existing VMs with existing Network Adapters should not have issues connecting after installing this update, only new Network Adapters created after installation of this update are affected..
Workaround: To mitigate this issue, open an elevated PowerShell window (select the Start button then type powershell, right click or long press on it and select Run as Administrator) on all SCVMM managed Hyper-V hosts and run the following commands:
$lang = (Get-WinSystemLocale).Name
C:\Windows\system32\wbem\mofcomp.exe C:\Windows\system32\wbem\ $lang \VfpExt.mfl
C:\Windows\system32\wbem\mofcomp.exe C:\Windows\system32\wbem\VfpExt.mof
“Apps that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. “
Affects: All Windows versions
Symptom: After installing this update, apps that use ODBC connections through Microsoft ODBC SQL Server Driver (sqlsrv32.dll) to access databases might not connect. Additionally, you might receive an error in the app, or you might receive an error from the SQL Server. Errors you might receive include the following messages:
“The EMS System encountered a problem. Message: [Microsoft][ODBC SQL Server Driver] Protocol error in TDS Stream.”
“The EMS System encountered a problem. Message: [Microsoft][ODBC SQL Server Driver] Unknown token received from SQL Server.”
Actions: To decide whether you are using an affected app, open the app that connects to a database. Open a Command Prompt window, type the following command and then press Enter:
tasklist /m sqlsrv32.dll
If the command lists a task, then the app might be affected.
Status: We are working on a resolution and will provide an update in an upcoming release.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5021291 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5021294 – Windows 8.1, Windows Server 2012 R2
- KB5021285 – Windows Server 2012
- KB5021289 – Windows Server 2008 (ESU)
Security Only Update
- KB5021288 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5021296 – Windows 8.1, Windows Server 2012 R2
- KB5021303 – Windows Server 2012
- KB5021293 – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5021243 – Original release version 1507 (OS Build 10240)
- KB5021235 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5021237 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5021233 – Version 20H2 “October 2020 Update” (OS Build 19042)
- KB5021233 – Version 21H1 “May 2021 Update” (OS Build 19043)
- KB5021233 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5021233 – Version 22H2 “November 2022 Update” (OS Build 19045)
- (Versions 1511,1703,1709,1803,1903,2004 are no longer under support)
Windows 11
- KB5021234 – 21H2 (OS Build 22000) Original release
- KB5021255 – 22H2 (OS Build 22621)
Windows Server
- KB5021235 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5021237 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5021249 – Server 2022 (OS Build 20348)
December 2022 updates for Microsoft Office
Notable CVEs
CVE-2022-41040 and CVE-2022-41082 | Windows Print Spooler components elevation of privilege vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44678
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44681
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-41076 | PowerShell remote code execution vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41076
“An authenticated attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system.”
CVE-2022-41089 | .NET Framework remote code execution vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41089
“The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.”
CVE-2022-44678 and CVE-2022-44681 | Windows Print Spooler Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44678
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44681
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-44693 | Microsoft SharePoint Server Remote Code Execution Vulnerability (KB5002311,KB5002317,KB5002319,KB5002321,KB5002327)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44693
“In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.”
CVE-2022-44698 | Windows SmartScreen Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”
CVE-2022-44710 | DirectX Graphics Kernel Elevation of Privilege Vulnerability (Cumulative Update KB5021255)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44710
“Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2022-44713 | Microsoft Outlook for Mac Spoofing Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44713
“An attacker could appear as a trusted user when they should not be. This could cause a user to mistakenly trust a signed email message as if it came from a legitimate user.”
