[German]On December 13, 2022, Microsoft released security updates for Windows clients and servers, for Office, etc. – as well as for other products – released. The security updates fix 49 vulnerabilities, 6 of which are classified as critical, and two 0-day vulnerabilities, one of which is already being exploited. Below is a compact overview of these updates released on patchday.
Advertising
A list of updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Notes about the updates
Windows 10 version 20H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on enabling the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
All Windows 10 updates are cumulative. The monthly patchday update contains all security fixes for Windows 10 and all non-security fixes until patchday. In addition to vulnerability security patches, the updates include security enhancement measures. Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10.
A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date). Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 3rd year ESU license (or bypass measures) will still receive updates. With the current ESU bypass lets install the update. Updates can also be downloaded from the Microsoft Update Catalog. The updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.
Fixed vulnerabilities
At Bleeping Computer there is this article, according to which the security updates fix 49 vulnerabilities, 6 of them critical and two 0-day vulnerabilities. At Tenable there is also this blog post with an overview of the fixed vulnerabilities. However, Tenable only lists 48 vulnerabilities with CVEs, of which seven are classified as critical, 40 are classified as "important". Furthermore, two 0-day vulnerabilities, one already exploited and one previously known, should have been fixed. So there are discrepancies between Bleeping Computer and Tenable.
- CVE-2022-44698: Windows SmartScreen security feature bypass vulnerability (MoTW), moderate
- CVE-2022-44690 und CVE-2022-44693: RCE vulnerabilities in Microsoft SharePoint Server, CVSSv3 Score 8.8, critical
- CVE-2022-41089: Unauthenticated RCE vulnerability in Microsoft.NET framework with a CVSSv3 Score 8.8, important
- CVE-2022-41076: RCE vulnerability in Windows Powershell, CVSSv3 Score 8.5, critical
- CVE-2022-44678 und CVE-2022-44681: EoP vulnerabilities in Windows Print Spooler, CVSSv3 Score of 7.8, important.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available in the linked articles from Tenable and Bleeping Computer. Below is still the list of patched products:
Advertising
- .NET Framework
- Azure
- Client Server Run-time Subsystem (CSRSS)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows Codecs Library
- Role: Windows Hyper-V
- SysInternals
- Windows Certificates
- Windows Contacts
- Windows DirectX
- Windows Error Reporting
- Windows Fax Compose Form
- Windows HTTP Print Provider
- Windows Kernel
- Windows PowerShell
- Windows Print Spooler Components
- Windows Projected File System
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows SmartScreen
- Windows Subsystem for Linux
- Windows Terminal
Similar articles
Microsoft Office Updates (December 6, 2022)
Microsoft Security Update Summary (December 13, 2022)
Patchday: Windows 10-Updates (December 13, 2022)
Patchday: Windows 11/Server 2022-Updates (December 13, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (December 13, 2022)
Patchday: Microsoft Office Updates (December 13, 2022)
Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE)
Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript
Microsoft confirms Direct Access issues after Nov. 2022 updates
DirectAccess fails after Windows Updates from November 2022
Windows Server November 2022 updates cause LSASS memory leak
