Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches. Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.
Microsoft Patch Tuesday March 2022. Hello everyone! I am glad to greet you from the most sanctioned country in the world. Despite all the difficulties, we carry on. I even have some time to release new episodes. This time it will be about Microsoft Patch Tuesday for March 2022.
I do the analysis as usual with my open source tool Vulristics. You can still download it on github. I hope that github won’t block Russian repositories and accounts, but for now it looks possible. Most likely, I will just start hosting the sources of my projects on avleonov.com in this case. Or on another domain, if it gets even tougher. Stay tuned.
Microsoft Patch Tuesday January 2022. Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn’t make any changes to how connectors work. The report generation worked correctly on the first try.
The only thing I have improved is the detection of types of vulnerabilities and vulnerable products. “Unknown Vulnerability Type” was for two vulnerabilities, so I added the “Elevation Of Privilege” и “Cross-Site Scripting” spelling options. I added detections for 13 products and 19 Windows components. I also corrected the method for sorting vulnerabilities with the same Vulristics score. Previously, such vulnerabilities were sorted by CVE id, now they are sorted by vulnerability type and product. This allows you to see the clusters of similar vulnerabilities.
Microsoft Patch Tuesday December 2021. Hello everyone! It’s even strange to talk about other vulnerabilities, while everyone is so focused on vulnerabilities in log4j. But life doesn’t stop. Other vulnerabilities appear every day. And of course, there are many critical ones among them that require immediate patching. This episode will be about Microsoft Patch Tuesday for December 2021.
I will traditionally use my open source Vulristics tool for analysis.
Vulristics: Microsoft Patch Tuesdays Q1 2021. Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.
I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.
Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint. I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.
Vulristics
I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it Vulristics (from “Vulnerability” and “Heuristics”). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.
Let’s say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.
Microsoft Patch Tuesday February 2020. IMHO, these are the two most interesting vulnerabilities in a recent Microsoft Patch Tuesday February 2020:
Mysterious Windows RCE CVE-2020-0662. “To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.” Without needing to directly log in to the affected device!
Microsoft Exchange server seizure CVE-2020-0688. By sending a malicious email message the attacker can run commands on a vulnerable Exchange server as the system user (and monitor email communications). “the attacker could completely take control of an Exchange server through a single e-mail”.
There were also RCEs in Remote Desktop (Client and Service), a third attempt to fix RCEs in Internet Explorer, Elevation of Privilege, etc. But all this stuff we see in almost every Patch Tuesday and without fully functional exploits it’s not really interesting. ?
Read the full reviews in Tenable and Zero Day Initiative blogs.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
