Microsoft Patch Tuesday for March 2022 — Snort rules and prominent vulnerabilities



By Jon Munshaw and Edmund Brumaghin. 

Microsoft released another relatively light security update Tuesday, disclosing 71 vulnerabilities, including fixes for issues in Azure and the Office suite of products. March’s Patch Tuesday only included two critical vulnerabilities, which is notable considering there weren’t any critical issues in February’s security update

This month’s patch batch does not include any threats that Microsoft says have been exploited in the wild, and none of the vulnerabilities disclosed has a severity score higher than 8.8 out of 10. 

The most serious issue is CVE-2022-23277, a remote code execution vulnerability in Microsoft Exchange Server. An adversary could exploit this vulnerability to target the Exchange Server accounts with arbitrary or remote code execution, according to Microsoft. If the user is authenticated, they could trigger malicious code in the context of the Server account through a network call.

The other critical vulnerability this month exists in the VP9 Video Extensions app available on the Microsoft Store — CVE-2022-24501. An adversary could trick a user into opening a specially crafted, malicious video file that could lead to the attacker being able to execute arbitrary code on the targeted machine. Microsoft is pushing an automatic update to the app, so no user interaction is required to install the fix, though they should check to confirm the software is on version 1.0.42791.0 and later. 

Of the 69 other vulnerabilities, one is considered to be of “moderate” severity, and the rest are categorized as “important.” 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59210 - 59217, 59220 and 59221. 

0 Comments