Microsoft’s Patch Tuesday release includes fixes for critical vulnerabilities in Exchange Server, and the VP9 and HEVC video extensions, all of which can be exploited remotely.
The Exchange Server bug, CVE-2022-23277, was discovered by Markus Wulftange of German company Code White.
While it requires an authenticated attacker, the bug is remotely exploitable.
“The attacker could attempt to trigger malicious code in the context of the server's account through a network call," Microsoft said in an advisory.
The affected versions are Exchange Server 2013, 2016 and 2019.
The VP9 Video Extensions bug, CVE-2022-24501, can be exploited if an attacker tricks their victim into opening a malicious video file. The attacker can then execute arbitrary code on the target system.
Milan Kyselica of IstroSec discovered the bug.
Microsoft will auto-update VP9, or users can update immediately to version 1.0.42791.0.
The bug in HEVC Video Extensions, CVE-2022-22006, is also remotely exploitable via a crafted file.
If the app was pre-installed by a device manufacturer, package versions 1.0.50361.0 and later are patched; if the app was purchased from the Microsoft Store, package versions 1.0.50362.0 and later are patched.
Mandiant’s Dhanesh Kizhakkinan and Kunlun Labs’ Azure Yang discovered this bug.
These, and the other 69 lower-rated patches covered in yesterday’s release, are listed here.