Microsoft's Patch Tuesday squashes 49 bugs to end the year
Two zero-day and six critical vulnerabilities have been patchedBy Alfonso Maruccia 9 comments
In context: "Patch Tuesday" was once an unofficial term used to refer to the rollout of patches from some of the world's largest software makers. It was formalized by Microsoft in October 2003 and is now associated with updates from Redmond that drop on the second Tuesday of the month.
December 13 was Patch Tuesday, and Microsoft used the opportunity to squash a lot of bugs in Windows and in other "products, features and roles."
The December 2022 Security Updates list includes patches for .NET Framework, Azure, Client Server Run-time Subsystem (CSRSS), Microsoft Office, SysInternals applications, Microsoft Dynamics, and of course many components found in different versions of Windows.
The number of bugs fixed with December's Patch Tuesday totals 49, six of which are classified as "Critical" which is the highest threat level. The flaws include 19 elevation of privilege vulnerabilities, two security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, three information disclosure vulnerabilities, three denial of service vulnerabilities and one spoofing vulnerability.
The publicly disclosed vulnerability Microsoft addressed was a DirectX Graphics Kernel Elevation of Privilege Vulnerability (CVE-2022-44710), which could be exploited by a malicious actor to gain SYSTEM privileges after winning a race condition. A complete list of all solved vulnerabilities and advisories has been published by Bleeping Computer and is available here.
Windows Security Updates for the month are already available through the official Windows Update service, update management systems such as WSUS, and as direct downloads from the Microsoft Update Catalog. Other companies releasing their security updates in sync with Microsoft's Patch Tuesday include Cisco, Citrix, Fortinet, Google, and SAP.