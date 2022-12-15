In context: Once upon a time, “Patch Tuesday” was an informal term used to refer to the release of patches by some of the world’s largest software manufacturers. It was formalized by Microsoft in October 2003 and is now associated with updates from Redmond, which are released on the second Tuesday of the month.

December 13th was Patch Tuesday, and Microsoft took the opportunity to fix a lot of bugs in Windows and other “products, features, and roles.”

The list of security updates for December 2022 includes fixes for .NET Framework, Azure, Client Server Runtime Subsystem (CSRSS), Microsoft Office, SysInternals applications, Microsoft Dynamics and, of course, many components present in different versions of Windows.

The number of bugs fixed with the December Tuesday fixes is 49, six of which are classified as “critical”, which is the highest threat level. Vulnerabilities include 19 privilege escalation vulnerabilities, two security circumvention vulnerabilities, 23 remote code execution vulnerabilities, three disclosure vulnerabilities, three denial of service vulnerabilities, and one spoofing vulnerability.

Moreover, the last Tuesday of the fixes fixes two zero-day flaws. The actively exploited zero day of the month is a Windows SmartScreen security feature bypass vulnerability (CVE—2022-44698) that can be used to bypass Mark of the Web (MOTW) security features (a warning window displayed by Defender SmartScreen when a user tries to launch an unknown exe file downloaded from the Internet) with malicious JavaScript files to run and install malware from remote servers.

The disclosed vulnerability, which Microsoft drew attention to, was a DirectX Graphics Kernel Elevation of Privilege (CVE-2022-44710) vulnerability that could be used by an attacker to gain SYSTEM privileges after winning the race. A complete list of all fixed vulnerabilities and recommendations has been published by Bleeping Computer and is available here.

Windows security updates for the month are already available through the official Windows Update service, update management systems such as WSUS, as well as for direct download from the Microsoft Update catalog. Other companies releasing their security updates synchronously with the release of Microsoft patches include Cisco, Citrix, Fortinet, Google and SAP.