Today is Microsoft’s February 2022 Patch release day and Microsoft has released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program.

This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs. The number of each type of vulnerability is listed below:

16 Elevation of Privilege Vulnerabilities

3 Security Feature Bypass Vulnerabilities

16 Remote Code Execution Vulnerabilities

5 Information Disclosure Vulnerabilities

5 Denial of Service Vulnerabilities

3 Spoofing Vulnerabilities

22 Edge – Chromium Vulnerabilities

Executive Summary

Microsoft released security updates for all supported client and server versions of Windows.

Microsoft released no critical updates for Windows on this Patch Day.

Security updates were also released for other Microsoft products, including Microsoft Dynamics, Microsoft Office, Microsoft Edge, SQL Server, Power BI, Visual Studio Code and Kestrel Web Server

The following client operating systems have known issues: Windows 7, Windows 8.1, Windows 10 version 1809, Windows 10 version 20H2, 21H1, 21H2,

The following server operating systems have known issues: Windows Server 2008 and 2008 R2, Windows Server 2012 and 2012 R2, Windows Server 2019, Windows Server 2022

Taking a closer look at some of the more interesting updates for this month;

 CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.

 CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target’s IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.

 CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.

 CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.

Operating System Distribution

Windows 7 (extended support only): 11 vulnerabilities: 0 critical and 11 important

Windows 8.1: 14 vulnerabilities: 0 critical and 14 important

Windows 10 version 1909: 22 vulnerabilities: 0 critical and 22 important

Windows 10 version 2004, 20H2, 21H1 and 21H2 : 22 vulnerabilities, 0 critical and 22 important

Windows 11:  23 vulnerabilities, 0 critical and 23 important

Windows Server products

Windows Server 2008 R2 (extended support only): 11 vulnerabilities: 0 critical and 11 important

Windows Server 2012 R2: 14 vulnerabilities: 0 critical and 14 important

Windows Server 2016: 17 vulnerabilities: 0 critical and 17 important

Windows Server 2019: 21 vulnerabilities: 0critical and 21 important

Windows Server 2022: 22 vulnerabilities: 0 critical and 22 important

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

Updates may show as failed and may be uninstalled because the machine is not on ESU.

Expected behaviour.

Certain operations such as rename may fail on Cluster Shared Volumes.

Perform the operation from a process with administrator privileges.

Perform the operation from a node that does not have CSV ownership.

Windows 8.1 and Server 2012 R2

Certain operations such as rename may fail on Cluster Shared Volumes.

Perform the operation from a process with administrator privileges.

Perform the operation from a node that does not have CSV ownership.

(NEW) Issues with apps using the ” Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information”. These may fail, close, or may throw errors messages such as access violation (0xc0000005).

Install out-of-band updates for the .NET Framework version that the app in question uses. Microsoft has links to these on the support page.

Windows 10 versions 2004, 20H2, 21H1 and 21H2

Custom installations may not receive the new Microsoft Edge web browser, while the old version may be removed.

Workaround described on the support page.

Some devices can’t install updates after installation of KB5003690 (June 21, 2021). Error PSFX_E_MATCHING_BINARY_MISSING is displayed.

Workaround instructions are available here.

Connections may fail to authentication when using smart card authentication in Remote Desktop Connections.

Resolved according to Microsoft, should not be experienced anymore.

CVE Title Severity CVSS Public Exploited Type
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability Important 7.9 No No RCE
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21986 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability Important 8.1 No No Spoofing
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability Important 6.9 No No Spoofing
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important 5.9 No No SFB
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability Important 4.3 No No SFB
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability Important 7.8 No No EoP

Download February 2022 Patch List