Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Compliance
Cloud Security

Microsoft security alert.

December 13, 2022

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 47 vulnerabilities that were fixed in 11 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 11 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft SharePoint Server and Foundation Update for December 2022

    Severity
    Critical 4
    Qualys ID
    110421
    Vendor Reference
    KB5002311, KB5002317, KB5002319, KB5002321, KB5002327
    CVE Reference
    CVE-2022-44690, CVE-2022-44693
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft has released December 2022 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5002327
    KB5002311
    KB5002319
    KB5002321
    KB5002317

    QID Detection Logic:
    This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected SharePoint system.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    KB5002327
    KB5002311
    KB5002319
    KB5002321
    KB5002317

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft SharePoint Foundation and SharePoint Server

  • Microsoft Office Security Update for December 2022

    Severity
    Critical 4
    Qualys ID
    110422
    Vendor Reference
    KB5002280, KB5002286
    CVE Reference
    CVE-2022-26804, CVE-2022-26805, CVE-2022-26806, CVE-2022-44691, CVE-2022-44692, CVE-2022-44694, CVE-2022-44695, CVE-2022-44696, CVE-2022-47211, CVE-2022-47212, CVE-2022-47213
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Microsoft has released December 2022 security updates to fix multiple security vulnerabilities.

    This security update contains the following:

    Office Click-2-Run and Office 365 Release Notes
    Release notes for Office for Mac
    KB5002203
    KB5002203

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Office Click-2-Run and Office 365 Release Notes
    Release notes for Office for Mac
    KB5002203
    KB5002203

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft office December 2022

  • Microsoft Outlook for Mac Spoofing Vulnerability Security Update for December 2022

    Severity
    Critical 4
    Qualys ID
    110423
    Vendor Reference
    Release notes for Office for Mac
    CVE Reference
    CVE-2022-44713
    CVSS Scores
    Base 7.8 / Temporal 5.8
    Description
    Microsoft has released December 2022 security updates for Outlook to fix a SpoofingVulnerability.

    This security update contains the following KBs:
    Affected Products:
    Microsoft Office LTSC for Mac 2021
    Microsoft Outlook 2019 for Mac

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on affected outlook applications.

    Consequence
    Successful exploitation will allow spoofing in Outlook Clients.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft Outlook for Mac

  • Windows Terminal Remote Code Execution (RCE) Vulnerability

    Severity
    Critical 4
    Qualys ID
    377824
    Vendor Reference
    CVE-2022-41079, CVE-2022-41080, CVE-2022-41123, CVE-2022-44702
    CVE Reference
    CVE-2022-44702
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Windows Terminal is a multi-tabbed terminal emulator that Microsoft has developed. It can run any command-line app in a separate tab. It is preconfigured to run Command Prompt, PowerShell, WSL, SSH, and Azure Cloud Shell Connector.

    Affected Versions:
    Windows Terminal for Windows 10 below 1.15.2874
    Windows Terminal for Windows 11 below 1.15.2875

    QID Detection Logic (Authenticated):
    The QID checks for vulnerable version of Windows Terminal by checking the file version of wt.exe.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target system.
    Solution
    Microsoft has released patch, customers are advised to refer to KB5019758 for information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-44702

  • Microsoft .NET Framework Remote Code Execution Vulnerability for December 2022

    Severity
    Critical 4
    Qualys ID
    91961
    Vendor Reference
    KB5020868, KB5020873, KB5020880, KB5021079, KB5021080, KB5021081, KB5021082, KB5021085, KB5021086, KB5021087, KB5021088, KB5021089, KB5021090, KB5021091, KB5021092, KB5021093, KB5021094, KB5021095, KB5021243
    CVE Reference
    CVE-2022-41089
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    A Remote Code Execution Vulnerability exist in Microsoft .Net Framework.

    Following KBs are covered in this detection:
    KB5021243
    KB5021086
    KB5021087
    KB5020880
    KB5021088
    KB5021089
    KB5021094
    KB5021082
    KB5020868
    KB5021081
    KB5021093
    KB5021091
    KB5021079
    KB5021092
    KB5021080
    KB5021090
    KB5021095
    KB5020873
    KB5021085
    This security update is rated Important for supported versions of Microsoft .NET Framework.

    .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, and 4.8.1

    QID Detection Logic (Authenticated):
    Checks for vulnerable file.version of ntoskrnl.exe or Mscorlib.dll or System.core.dll for the respective .Net Framework KBs

    Consequence
    Successful exploitation allows a attacker to cause Remote Code Execution Vulnerability.
    Solution
    Customers are advised to refer to CVE-2022-41089 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-41089

  • Microsoft Windows Security Update for December 2022

    Severity
    Critical 4
    Qualys ID
    91962
    Vendor Reference
    KB5021233, KB5021234, KB5021235, KB5021237, KB5021243, KB5021249, KB5021255, KB5021285, KB5021288, KB5021289, KB5021291, KB5021293, KB5021294, KB5021296, KB5021303
    CVE Reference
    CVE-2022-41074, CVE-2022-41076, CVE-2022-41077, CVE-2022-41094, CVE-2022-41121, CVE-2022-44666, CVE-2022-44667, CVE-2022-44668, CVE-2022-44669, CVE-2022-44670, CVE-2022-44671, CVE-2022-44673, CVE-2022-44674, CVE-2022-44675, CVE-2022-44676, CVE-2022-44677, CVE-2022-44678, CVE-2022-44679, CVE-2022-44680, CVE-2022-44681, CVE-2022-44682, CVE-2022-44683, CVE-2022-44689, CVE-2022-44697, CVE-2022-44698, CVE-2022-44707, CVE-2022-44710
    CVSS Scores
    Base 9 / Temporal 7.4
    Description
    Microsoft Windows Security Update - December 2022

    QID Detection Logic (Authenticated):
    Operating Systems: The KB Articles associated with the update:
    The patch version is 6.3.9600.20718KB5021294
    The patch version is 6.3.9600.20718KB5021296
    The patch version is 6.2.9200.24013KB5021285
    The patch version is 6.2.9200.24013KB5021303
    The patch version is 6.1.7601.26262KB5021291
    The patch version is 6.1.7601.26262KB5021288
    The patch version is 6.0.6003.21811KB5021289
    The patch version is 6.0.6003.21811KB5021293
    The patch version is 10.0.14393.5582KB5021235
    The patch version is 10.0.10240.19624KB5021243
    The patch version is 10.0.19041.2364KB5021233
    The patch version is 10.0.22621.963KB5021255
    The patch version is 10.0.22000.1335KB5021234
    The patch version is 10.0.20348.1366KB5021249
    The patch version is 10.0.17763.3770KB5021237

    This QID checks for the file version of ntoskrnl.exe.

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Please refer to the following KB Articles associated with the update:
    KB5021294
    KB5021296
    KB5021285
    KB5021303
    KB5021291
    KB5021288
    KB5021289
    KB5021293
    KB5021235
    KB5021243
    KB5021233
    KB5021255
    KB5021234
    KB5021249
    KB5021237

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    5021233
    5021234
    5021235
    5021237
    5021243
    5021249
    5021255
    5021285
    5021288
    5021289
    5021291
    5021293
    5021294
    5021296
    5021303

  • Microsoft .NET Security Update for December 2022

    Severity
    Critical 4
    Qualys ID
    91963
    Vendor Reference
    CVE-2022-41089
    CVE Reference
    CVE-2022-41089
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Microsoft has released a security Update for .NET which resolves Remote Code Execution Vulnerability.
    This security update is rated Important for affected versions of .NET

    Affected versions:
    .NET 6.0 before version 6.0.12
    .NET Core 3.1 before version 3.1.32
    and .NET 7.0 before version 7.0.1

    QID Detection Logic: Authenticated
    On Windows, this QID detects vulnerable versions of Microsoft .NET by checking the file version.
    On Linux, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" and "/root/shared/Microsoft.NETCore.App" folders.
    On Mac, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" folder.

    Consequence

    Vulnerable versions of Microsoft .NET are prone to Remote Code Execution Vulnerability.
    Solution
    Customers are advised to refer to CVE-2022-41089 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-41089

  • Microsoft Dynamics Security Update for December 2022

    Severity
    Critical 4
    Qualys ID
    91964
    Vendor Reference
    CVE-2022-41127
    CVE Reference
    CVE-2022-41127
    CVSS Scores
    Base 7.2 / Temporal 5.3
    Description
    Microsoft Dynamics contains the following vulnerabilities:
    Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability The security update addresses these vulnerabilities by helping to ensure that Dynamics Server properly sanitizes web requests.

    Affected Software:

    Microsoft Dynamics 365 Business Central 2022 Release Wave 1 - Update
    Microsoft Dynamics 365 Business Central 2022 Release Wave 2 - Update
    Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update
    Microsoft Dynamics 365 Business Central 2021 Release Wave 2 - Update
    Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update
    Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update
    Microsoft Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)
    Microsoft Dynamics 365 Business Central Spring 2019 Update
    Microsoft Dynamics NAV 2018
    Microsoft Dynamics NAV 2017
    Microsoft Dynamics NAV 2016

    QID Detection Logic:
    This QID detects vulnerable software versions by fetching file versions from the following locations:
    This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Dynamics.Nav.Server.exe

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Customers are advised to refer to CVE-2022-41127 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-41127

  • Microsoft Windows Sysmon Elevation of Privilege Vulnerability

    Severity
    Critical 4
    Qualys ID
    91965
    Vendor Reference
    CVE-2022-44704
    CVE Reference
    CVE-2022-41120, CVE-2022-44704
    CVSS Scores
    Base 7.2 / Temporal 5.6
    Description
    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log

    Affected Software
    Sysmon prior to version 14.1.3.0
    QID Detection Logic(Authenticated): This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Sysmon.exe

    Consequence
    Successful exploit could lead to elevation of privileges

    Solution
    Customers are advised to refer to CVE-2022-44704 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-44704

  • Microsoft Visual Studio Security Updates for December 2022

    Severity
    Critical 4
    Qualys ID
    91966
    Vendor Reference
    CVE-2022-41089
    CVE Reference
    CVE-2022-41089
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description

    Microsoft has released security Updates for Visual Studio which resolve Remote Code Execution Vulnerabilities.

    Affected Software:
    Microsoft Visual Studio 2022 version 17.4
    Microsoft Visual Studio 2022 version 17.2
    Microsoft Visual Studio 2022 version 17.0
    Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)

    QID Detection Logic: Authenticated : Windows
    This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "evenv.exe" to check the version of the Visual Studio.

    Consequence
    Vulnerable versions of Microsoft Visual Studio are prone to Remote Code Execution.
    Solution
    Customers are advised to refer to CVE-2022-41089 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-41089

  • Raw Image Extension Remote Code Execution Vulnerability Updates in December 2022

    Severity
    Critical 4
    Qualys ID
    91967
    Vendor Reference
    CVE-2022-44687
    CVE Reference
    CVE-2022-44687
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description

    For all supported versions of Windows 10, the secure version is v2.0.32791.0 and later. For Windows 11 operating systems, the secure version is v2.1.32791.0 and later.
    QID detection Logic:
    The gets the version of RawImageExtension by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    An attacker who successfully exploited this vulnerability can compromise confidentiality, integrity and availability of the system

    Solution
    Users are advised to check CVE-2022-44687 for further details.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2022-44687

These new vulnerability checks are included in Qualys vulnerability signature 2.5.650-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110421
    • 110422
    • 110423
    • 377824
    • 91961
    • 91962
    • 91963
    • 91964
    • 91965
    • 91966
    • 91967
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.