Microsoft fixed 71 vulnerabilities and three 0-day bugs in its products

This week, Microsoft released the March patch kit and fixed three zero-day vulnerabilities, for a total of 71 vulnerabilities fixed in its products (not counting 21 vulnerabilities in Microsoft Edge).

One of the most serious issues this month is the RCE vulnerability in Microsoft Exchange Server, which has received the identifier CVE-2022-23277. This bug reportedly allows an authenticated user to “run malicious code in the context of a server account through a network call.”

Two other critical RCE bugs fixed this month affect Microsoft Video Extensions. One of them, CVE-2022-24501, was found in the VP9 Video Extensions app available from the Microsoft Store. An attacker can convince a user to open a malicious video file, which will eventually lead to the execution of the code hidden in the video. Similarly, CVE-2022-22006 is a remote code execution vulnerability in HEVC Video Extensions that can be exploited in a similar way.

In addition, Microsoft has released fixes for a number of other products, including Office, Windows, Internet Explorer, Defender, and Azure Site Recovery. Zero Day Initiative experts, who have traditionally published a review of the fixed bugs, highlight the following among them:

1. CVE-2022-21990: Remote code execution. It is possible to hijack someone else’s PC through an RDP client when connected to a malicious server. Details about this vulnerability are already publicly available and, according to the Zero Day Initiative, the bug should be considered critical.
2. CVE-2022-24508: Remote code execution. An authenticated user can execute malicious code on Windows 10 version 2004 and later via SMBv3. Experts also advise considering this problem critical.
3. CVE-2022-24512: Remote code execution in .NET and Visual Studio. The details of the bug are public.

It should also be noted that other larger companies have introduced updates for their products, including:

1. Google introduced March security updates for Android;
2. Cisco has released updates for many products, including Cisco Cisco FXOS and NX-OS, StarOS, and Cisco Application Policy Infrastructure Controller;
3. Adobe has fixed arbitrary code execution and memory leak vulnerabilities.

Let me remind you that we also talked about Microsoft fixes vulnerability in Azure Container Instance, and also that Microsoft has recorded a record DDoS attack, with a capacity of 3.47 Tb/s.