近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞72个,影响到微软产品的其他厂商漏洞2个。包括OpenSSL 缓冲区错误漏洞(CNNVD-202108-1945、CVE-2021-3711)、Microsoft WindowsMedia Foundation权限许可和访问控制问题漏洞(CNNVD-202108-841、CVE-2021-36927)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布了漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、 漏洞介绍
2022年3月9日,微软发布了2022年3月份安全更新,共74个漏洞的补丁程序,CNNVD对这些漏洞进行了收录。本次更新主要涵盖了Microsoft Windows 和Windows 组件、Microsoft Skype Extensionfor Chrome、Microsoft Windows CD-ROM Driver、Microsoft HEIF Image Extensions、MicrosoftOffice Visio、Microsoft Windows Fastfat Driver等。CNNVD对其危害等级进行了评价,其中超危漏洞1个,高危漏洞52个,中危漏洞19个,低危漏洞2个。微软多个产品和系统版本受漏洞影响,具体影响范围可访问
https://portal.msrc.microsoft.com/zh-cn/security-guidance查询。
二、漏洞详情
此次更新共包括72个漏洞的补丁程序,其中高危漏洞52个,中危漏洞18个,低危漏洞2个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 官方链接 |
1 | Microsoft Windows Media Foundation权限许可和访问控制问题漏洞 | CNNVD-202108-841 | CVE-2021-36927 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36927 |
2 | Microsoft Dynamics 代码注入漏洞 | CNNVD-202202-696 | CVE-2022-21957 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21957 |
3 | Microsoft XBox 权限许可和访问控制问题漏洞 | CNNVD-202203-695 | CVE-2022-21967 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21967 |
4 | Microsoft Remote Desktop Client 代码注入漏洞 | CNNVD-202203-691 | CVE-2022-21990 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21990 |
5 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-734 | CVE-2022-22006 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22006 |
6 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-732 | CVE-2022-22007 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22007 |
7 | Microsoft Defender for IoT 代码注入漏洞 | CNNVD-202203-751 | CVE-2022-23265 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23265 |
8 | Microsoft Defender 权限许可和访问控制问题漏洞 | CNNVD-202203-753 | CVE-2022-23266 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23266 |
9 | Microsoft Exchange Server 代码注入漏洞 | CNNVD-202203-708 | CVE-2022-23277 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23277 |
10 | Microsoft Paint 3D 代码注入漏洞 | CNNVD-202203-711 | CVE-2022-23282 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23282 |
11 | Microsoft Windows ALPC 权限许可和访问控制问题漏洞 | CNNVD-202203-682 | CVE-2022-23283 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23283 |
12 | Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞 | CNNVD-202203-685 | CVE-2022-23284 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284 |
13 | Microsoft Remote Desktop Client 代码注入漏洞 | CNNVD-202203-679 | CVE-2022-23285 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23285 |
14 | Microsoft Windows Cloud Files Mini Filter Driver 权限许可和访问控制问题漏洞 | CNNVD-202203-681 | CVE-2022-23286 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23286 |
15 | Microsoft Windows ALPC 权限许可和访问控制问题漏洞 | CNNVD-202203-680 | CVE-2022-23287 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23287 |
16 | Microsoft DWM Core Library 权限许可和访问控制问题漏洞 | CNNVD-202203-678 | CVE-2022-23288 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23288 |
17 | Microsoft Windows COM 权限许可和访问控制问题漏洞 | CNNVD-202203-687 | CVE-2022-23290 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23290 |
18 | Microsoft DWM Core Library 权限许可和访问控制问题漏洞 | CNNVD-202203-683 | CVE-2022-23291 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23291 |
19 | Microsoft Windows Fastfat Driver 权限许可和访问控制问题漏洞 | CNNVD-202203-675 | CVE-2022-23293 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23293 |
20 | Microsoft Windows Event Tracing 代码注入漏洞 | CNNVD-202203-676 | CVE-2022-23294 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23294 |
21 | Microsoft Raw Image Extension 代码注入漏洞 | CNNVD-202203-742 | CVE-2022-23295 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23295 |
22 | Microsoft Windows Installer 权限许可和访问控制问题漏洞 | CNNVD-202203-677 | CVE-2022-23296 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23296 |
23 | Microsoft Windows NT OS Kernel 权限许可和访问控制问题漏洞 | CNNVD-202203-674 | CVE-2022-23298 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298 |
24 | Microsoft Windows PDEV 权限许可和访问控制问题漏洞 | CNNVD-202203-671 | CVE-2022-23299 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23299 |
25 | Microsoft Raw Image Extension 代码注入漏洞 | CNNVD-202203-741 | CVE-2022-23300 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23300 |
26 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-731 | CVE-2022-23301 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23301 |
27 | Microsoft VP9 Video Extensions 代码注入漏洞 | CNNVD-202203-760 | CVE-2022-24451 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24451 |
28 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-737 | CVE-2022-24452 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24452 |
29 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-733 | CVE-2022-24453 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24453 |
30 | Microsoft Windows Security Account Manager 权限许可和访问控制问题漏洞 | CNNVD-202203-670 | CVE-2022-24454 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24454 |
31 | Microsoft Windows CD-ROM Driver 权限许可和访问控制问题漏洞 | CNNVD-202203-672 | CVE-2022-24455 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24455 |
32 | Microsoft HEVC Video Extensions 代码注入漏洞 | CNNVD-202203-738 | CVE-2022-24456 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24456 |
33 | Microsoft HEIF Image Extensions 代码注入漏洞 | CNNVD-202203-764 | CVE-2022-24457 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24457 |
34 | Microsoft Windows Fax and Scan Service 权限许可和访问控制问题漏洞 | CNNVD-202203-667 | CVE-2022-24459 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24459 |
35 | Microsoft Tablet Windows User Interface 权限许可和访问控制问题漏洞 | CNNVD-202203-668 | CVE-2022-24460 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24460 |
36 | Microsoft Office Visio 代码注入漏洞 | CNNVD-202203-727 | CVE-2022-24461 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24461 |
37 | Microsoft .NET Core和Microsoft Visual Studio 输入验证错误漏洞 | CNNVD-202203-701 | CVE-2022-24464 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24464 |
38 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-725 | CVE-2022-24467 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24467 |
39 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-722 | CVE-2022-24468 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24468 |
40 | Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 | CNNVD-202203-724 | CVE-2022-24469 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24469 |
41 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-720 | CVE-2022-24470 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24470 |
42 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-719 | CVE-2022-24471 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24471 |
43 | Microsoft VP9 Video Extensions 代码注入漏洞 | CNNVD-202203-767 | CVE-2022-24501 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24501 |
44 | Microsoft Windows ALPC 权限许可和访问控制问题漏洞 | CNNVD-202203-669 | CVE-2022-24505 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24505 |
45 | Microsoft Windows Ancillary Function Driver for WinSock 权限许可和访问控制问题漏洞 | CNNVD-202203-665 | CVE-2022-24507 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24507 |
46 | Microsoft SMBv3 代码注入漏洞 | CNNVD-202203-661 | CVE-2022-24508 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24508 |
47 | Microsoft Office Visio 代码注入漏洞 | CNNVD-202203-714 | CVE-2022-24509 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24509 |
48 | Microsoft Office Visio 代码注入漏洞 | CNNVD-202203-713 | CVE-2022-24510 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24510 |
49 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-716 | CVE-2022-24517 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24517 |
50 | Microsoft Azure Site Recovery 代码注入漏洞 | CNNVD-202203-718 | CVE-2022-24520 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24520 |
51 | Microsoft Skype Extension for Chrome 信息泄露漏洞 | CNNVD-202203-728 | CVE-2022-24522 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24522 |
52 | Microsoft Windows Update 权限许可和访问控制问题漏洞 | CNNVD-202203-659 | CVE-2022-24525 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24525 |
53 | Microsoft Windows Media 输入验证错误漏洞 | CNNVD-202203-697 | CVE-2022-21973 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21973 |
54 | Microsoft Hyper-V 输入验证错误漏洞 | CNNVD-202203-693 | CVE-2022-21975 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21975 |
55 | Microsoft Windows Media Foundation 缓冲区错误漏洞 | CNNVD-202203-689 | CVE-2022-22010 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22010 |
56 | Microsoft Windows Point-to-Point Tunneling Protocol 输入验证错误漏洞 | CNNVD-202203-684 | CVE-2022-23253 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23253 |
57 | Microsoft Defender 安全漏洞 | CNNVD-202203-717 | CVE-2022-23278 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278 |
58 | Microsoft Windows Common Log File System Driver 信息泄露漏洞 | CNNVD-202203-686 | CVE-2022-23281 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23281 |
59 | Microsoft NT LAN Manager 信息泄露漏洞 | CNNVD-202203-673 | CVE-2022-23297 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23297 |
60 | Microsoft Word 安全特征问题漏洞 | CNNVD-202203-726 | CVE-2022-24462 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24462 |
61 | Microsoft Exchange Server 信息泄露漏洞 | CNNVD-202203-700 | CVE-2022-24463 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24463 |
62 | Microsoft Windows HTML Platform 安全特征问题漏洞 | CNNVD-202203-664 | CVE-2022-24502 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24502 |
63 | Microsoft Remote Desktop Protocol Client 缓冲区错误漏洞 | CNNVD-202203-666 | CVE-2022-24503 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24503 |
64 | Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 | CNNVD-202203-715 | CVE-2022-24506 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24506 |
65 | Microsoft Word 输入验证错误漏洞 | CNNVD-202203-710 | CVE-2022-24511 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24511 |
66 | Microsoft .NET Core和Microsoft Visual Studio 代码注入漏洞 | CNNVD-202203-699 | CVE-2022-24512 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24512 |
67 | Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 | CNNVD-202203-721 | CVE-2022-24515 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24515 |
68 | Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 | CNNVD-202203-729 | CVE-2022-24518 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24518 |
69 | Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞 | CNNVD-202203-723 | CVE-2022-24519 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24519 |
70 | Microsoft Visual Studio Code 安全漏洞 | CNNVD-202203-730 | CVE-2022-24526 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24526 |
71 | Microsoft Windows Media Foundation 缓冲区错误漏洞 | CNNVD-202203-692 | CVE-2022-21977 | 低危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21977 |
72 | Microsoft Intune 安全特征问题漏洞 | CNNVD-202203-773 | CVE-2022-24465 | 低危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24465 |
此次更新共包括2个影响微软产品的其他厂商漏洞的补丁程序,其中超危漏洞1个中危漏洞1个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 厂商 | 官方链接 |
1 | OpenSSL 缓冲区错误漏洞 | CNNVD-202108-1945 | CVE-2021-3711 | 超危 | Openssl团队 | https://git.openssl.org/?p=openssl.git;a=summary |
2 | Google brotli Library 缓冲区错误漏洞 | CNNVD-202009-910 | CVE-2020-8927 | 中危 | https://github.com/google/brotli/releases/tag/v1.0 |
三、修复建议
目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地址:
https://msrc.microsoft.com/update-guide/en-us
CNNVD将继续跟踪上述漏洞的相关情况,及时发布相关信息。如有需要,可与CNNVD联系。联系方式:cnnvdvul@itsec.gov.cn
声明:本文来自CNNVD安全动态,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。
