近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞72个,影响到微软产品的其他厂商漏洞2个。包括OpenSSL 缓冲区错误漏洞(CNNVD-202108-1945、CVE-2021-3711)、Microsoft WindowsMedia Foundation权限许可和访问控制问题漏洞(CNNVD-202108-841、CVE-2021-36927)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布了漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。

一、 漏洞介绍

2022年3月9日,微软发布了2022年3月份安全更新,共74个漏洞的补丁程序,CNNVD对这些漏洞进行了收录。本次更新主要涵盖了Microsoft Windows 和Windows 组件、Microsoft Skype Extensionfor Chrome、Microsoft Windows CD-ROM Driver、Microsoft HEIF Image Extensions、MicrosoftOffice Visio、Microsoft Windows Fastfat Driver等。CNNVD对其危害等级进行了评价,其中超危漏洞1个,高危漏洞52个,中危漏洞19个,低危漏洞2个。微软多个产品和系统版本受漏洞影响,具体影响范围可访问

https://portal.msrc.microsoft.com/zh-cn/security-guidance查询。

二、漏洞详情

此次更新共包括72个漏洞的补丁程序,其中高危漏洞52个,中危漏洞18个,低危漏洞2个。

序号

漏洞名称

CNNVD编号

CVE编号

危害等级

官方链接

1

Microsoft Windows Media Foundation权限许可和访问控制问题漏洞

CNNVD-202108-841

CVE-2021-36927

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36927

2

Microsoft Dynamics 代码注入漏洞

CNNVD-202202-696

CVE-2022-21957

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21957

3

Microsoft XBox 权限许可和访问控制问题漏洞

CNNVD-202203-695

CVE-2022-21967

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21967

4

Microsoft Remote Desktop Client 代码注入漏洞

CNNVD-202203-691

CVE-2022-21990

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21990

5

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-734

CVE-2022-22006

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22006

6

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-732

CVE-2022-22007

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22007

7

Microsoft Defender for IoT 代码注入漏洞

CNNVD-202203-751

CVE-2022-23265

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23265

8

Microsoft Defender 权限许可和访问控制问题漏洞

CNNVD-202203-753

CVE-2022-23266

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23266

9

Microsoft Exchange Server 代码注入漏洞

CNNVD-202203-708

CVE-2022-23277

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23277

10

Microsoft Paint 3D 代码注入漏洞

CNNVD-202203-711

CVE-2022-23282

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23282

11

Microsoft Windows ALPC 权限许可和访问控制问题漏洞

CNNVD-202203-682

CVE-2022-23283

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23283

12

Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞

CNNVD-202203-685

CVE-2022-23284

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284

13

Microsoft Remote Desktop Client 代码注入漏洞

CNNVD-202203-679

CVE-2022-23285

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23285

14

Microsoft Windows Cloud Files Mini Filter Driver 权限许可和访问控制问题漏洞

CNNVD-202203-681

CVE-2022-23286

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23286

15

Microsoft Windows ALPC 权限许可和访问控制问题漏洞

CNNVD-202203-680

CVE-2022-23287

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23287

16

Microsoft DWM Core Library 权限许可和访问控制问题漏洞

CNNVD-202203-678

CVE-2022-23288

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23288

17

Microsoft Windows COM 权限许可和访问控制问题漏洞

CNNVD-202203-687

CVE-2022-23290

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23290

18

Microsoft DWM Core Library 权限许可和访问控制问题漏洞

CNNVD-202203-683

CVE-2022-23291

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23291

19

Microsoft Windows Fastfat Driver 权限许可和访问控制问题漏洞

CNNVD-202203-675

CVE-2022-23293

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23293

20

Microsoft Windows Event Tracing 代码注入漏洞

CNNVD-202203-676

CVE-2022-23294

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23294

21

Microsoft Raw Image Extension 代码注入漏洞

CNNVD-202203-742

CVE-2022-23295

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23295

22

Microsoft Windows Installer 权限许可和访问控制问题漏洞

CNNVD-202203-677

CVE-2022-23296

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23296

23

Microsoft Windows NT OS Kernel 权限许可和访问控制问题漏洞

CNNVD-202203-674

CVE-2022-23298

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298

24

Microsoft Windows PDEV 权限许可和访问控制问题漏洞

CNNVD-202203-671

CVE-2022-23299

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23299

25

Microsoft Raw Image Extension 代码注入漏洞

CNNVD-202203-741

CVE-2022-23300

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23300

26

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-731

CVE-2022-23301

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23301

27

Microsoft VP9 Video Extensions 代码注入漏洞

CNNVD-202203-760

CVE-2022-24451

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24451

28

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-737

CVE-2022-24452

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24452

29

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-733

CVE-2022-24453

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24453

30

Microsoft Windows Security Account Manager 权限许可和访问控制问题漏洞

CNNVD-202203-670

CVE-2022-24454

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24454

31

Microsoft Windows CD-ROM Driver 权限许可和访问控制问题漏洞

CNNVD-202203-672

CVE-2022-24455

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24455

32

Microsoft HEVC Video Extensions 代码注入漏洞

CNNVD-202203-738

CVE-2022-24456

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24456

33

Microsoft HEIF Image Extensions 代码注入漏洞

CNNVD-202203-764

CVE-2022-24457

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24457

34

Microsoft Windows Fax and Scan Service 权限许可和访问控制问题漏洞

CNNVD-202203-667

CVE-2022-24459

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24459

35

Microsoft Tablet Windows User Interface 权限许可和访问控制问题漏洞

CNNVD-202203-668

CVE-2022-24460

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24460

36

Microsoft Office Visio 代码注入漏洞

CNNVD-202203-727

CVE-2022-24461

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24461

37

Microsoft .NET Core和Microsoft Visual Studio 输入验证错误漏洞

CNNVD-202203-701

CVE-2022-24464

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24464

38

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-725

CVE-2022-24467

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24467

39

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-722

CVE-2022-24468

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24468

40

Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞

CNNVD-202203-724

CVE-2022-24469

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24469

41

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-720

CVE-2022-24470

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24470

42

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-719

CVE-2022-24471

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24471

43

Microsoft VP9 Video Extensions 代码注入漏洞

CNNVD-202203-767

CVE-2022-24501

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24501

44

Microsoft Windows ALPC 权限许可和访问控制问题漏洞

CNNVD-202203-669

CVE-2022-24505

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24505

45

Microsoft Windows Ancillary Function Driver for WinSock 权限许可和访问控制问题漏洞

CNNVD-202203-665

CVE-2022-24507

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24507

46

Microsoft SMBv3 代码注入漏洞

CNNVD-202203-661

CVE-2022-24508

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24508

47

Microsoft Office Visio 代码注入漏洞

CNNVD-202203-714

CVE-2022-24509

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24509

48

Microsoft Office Visio 代码注入漏洞

CNNVD-202203-713

CVE-2022-24510

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24510

49

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-716

CVE-2022-24517

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24517

50

Microsoft Azure Site Recovery 代码注入漏洞

CNNVD-202203-718

CVE-2022-24520

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24520

51

Microsoft Skype Extension for Chrome 信息泄露漏洞

CNNVD-202203-728

CVE-2022-24522

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24522

52

Microsoft Windows Update 权限许可和访问控制问题漏洞

CNNVD-202203-659

CVE-2022-24525

高危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24525

53

Microsoft Windows Media 输入验证错误漏洞

CNNVD-202203-697

CVE-2022-21973

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21973

54

Microsoft Hyper-V 输入验证错误漏洞

CNNVD-202203-693

CVE-2022-21975

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21975

55

Microsoft Windows Media Foundation 缓冲区错误漏洞

CNNVD-202203-689

CVE-2022-22010

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22010

56

Microsoft Windows Point-to-Point Tunneling Protocol 输入验证错误漏洞

CNNVD-202203-684

CVE-2022-23253

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23253

57

Microsoft Defender 安全漏洞

CNNVD-202203-717

CVE-2022-23278

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278

58

Microsoft Windows Common Log File System Driver 信息泄露漏洞

CNNVD-202203-686

CVE-2022-23281

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23281

59

Microsoft NT LAN Manager 信息泄露漏洞

CNNVD-202203-673

CVE-2022-23297

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23297

60

Microsoft Word 安全特征问题漏洞

CNNVD-202203-726

CVE-2022-24462

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24462

61

Microsoft Exchange Server 信息泄露漏洞

CNNVD-202203-700

CVE-2022-24463

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24463

62

Microsoft Windows HTML Platform 安全特征问题漏洞

CNNVD-202203-664

CVE-2022-24502

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24502

63

Microsoft Remote Desktop Protocol Client 缓冲区错误漏洞

CNNVD-202203-666

CVE-2022-24503

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24503

64

Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞

CNNVD-202203-715

CVE-2022-24506

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24506

65

Microsoft Word 输入验证错误漏洞

CNNVD-202203-710

CVE-2022-24511

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24511

66

Microsoft .NET Core和Microsoft Visual Studio 代码注入漏洞

CNNVD-202203-699

CVE-2022-24512

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24512

67

Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞

CNNVD-202203-721

CVE-2022-24515

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24515

68

Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞

CNNVD-202203-729

CVE-2022-24518

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24518

69

Microsoft Azure Site Recovery 权限许可和访问控制问题漏洞

CNNVD-202203-723

CVE-2022-24519

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24519

70

Microsoft Visual Studio Code 安全漏洞

CNNVD-202203-730

CVE-2022-24526

中危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24526

71

Microsoft Windows Media Foundation 缓冲区错误漏洞

CNNVD-202203-692

CVE-2022-21977

低危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21977

72

Microsoft Intune 安全特征问题漏洞

CNNVD-202203-773

CVE-2022-24465

低危

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24465

此次更新共包括2个影响微软产品的其他厂商漏洞的补丁程序,其中超危漏洞1个中危漏洞1个。

序号

漏洞名称

CNNVD编号

CVE编号

危害等级

厂商

官方链接

1

OpenSSL 缓冲区错误漏洞

CNNVD-202108-1945

CVE-2021-3711

超危

Openssl团队

https://git.openssl.org/?p=openssl.git;a=summary

2

Google brotli Library 缓冲区错误漏洞

CNNVD-202009-910

CVE-2020-8927

中危

Google

https://github.com/google/brotli/releases/tag/v1.0

三、修复建议

目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地址:

https://msrc.microsoft.com/update-guide/en-us

CNNVD将继续跟踪上述漏洞的相关情况,及时发布相关信息。如有需要,可与CNNVD联系。联系方式:cnnvdvul@itsec.gov.cn

声明:本文来自CNNVD安全动态,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。