March 2022 Patch Tuesday: Microsoft fixes RCEs in RDP client, Exchange Server


The flaw would allow an authenticated attacker to use a network call to execute their code with elevated privileges. This is also categorised as low complexity, with exploitation more likely, thus despite the authentication requirement, I wouldn’t be surprised to see this flaw exploited in the wild soon. Child’s viewpoints.

Because of their effect, CVE-2022-22006 and CVE-2022-24501, two RCEs in the HEVC and VP9 Video Extensions (respectively), may be critical, but the updates for the apps are pushed out automatically by the Microsoft Store, so customers don’t have to bother about patching them — if the Microsoft Store’s automatic updates haven’t been disabled.

Read More…