Latest Microsoft Patch Tuesday release is the smallest for some time, but still fixed some serious bugs

Microsoft logo outside building
(Image credit: gguy / Shutterstock)

This month’s Microsoft Patch Tuesday is out, and it’s left Windows admins and  cybersecurity experts alike scratching their heads a little. 

As it turns out, this month’s fix comes with no more than 51 patches, making it one of the most lightweight fixes to come out of Microsoft in a long time - and to make matters even stranger, none of the patches were deemed "critical".

That's not to say that the patches shouldn't still be applied, with a wide number of Microsoft software offerings affected.

No news is good news?

This month’s release addresses vulnerabilities in Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams.

What’s more, the company only addressed one zero-day vulnerability, a Windows Kernel elevation of privilege tracked under CVE-2022-21989.

Analyzing the patches, Zero Day Initiative’s Dustin Childs said: “It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one critical-rated patch.”

Immersive Labs director of cyber threat research, Kevin Breen, on the other hand, is under the impression that Windows admins shouldn’t lower their guard, something Childs essentially agrees with.

Discussing multiple CVEs listed in the fix with The Register, Breen says they are all ”listed as elevation of privilege, which forms a key part of the attack chain. Once initial access has been gained, attackers will quickly seek to gain administrator-level access so they can move across the network, compromise other devices and avoid detection by disabling security tooling."

For CVE-2022-21984, Childs says "if you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as critical."

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.