Microsoft patches 51 vulnerabilities on Patch Tuesday with no critical bugs

Microsoft has fixed 51 vulnerabilities in Windows, Office, Edge and other software during the monthly Patch Tuesday. This included a zero day, but it is striking that no vulnerability was given a ‘critical’ rating.

During the monthly Patch Tuesday, KB5010386 for Windows 11 and KB5010342 for Windows 10 were released. Microsoft writes that patches have been released for a total of 51 bugs. These are in Windows, Azure, Edge, Office and Visual Studio Code, but also in Components, Azure, Kestrel Web Server, the Codes library, Dynamics and Hyper-V Server. 51 vulnerabilities is a remarkably low number for a Patch Tuesday, which has recently seen record numbers of bug fixes.

Even more striking is that none of the CVEs that have been fixed receive a “critical” rating. Nearly all vulnerabilities have been rated ‘important’, but there are also many vulnerabilities that have not been rated at all. It almost never happens that there are no critical bugs. Most Patch Tuesdays fix a few serious or critical vulnerabilities.

One of the vulnerabilities that was fixed was a zero day. That’s a leak, details of which have been disclosed prior to the patch cycle. It concerns CVE-2022-21989, a privilege escalation in the kernel. According to Microsoft, that leak was not exploited to the best of our knowledge.

Other notable bugs include CVE-2022-21984, which allowed remote code execution in Windows DNS Server, and CVE-2022-21995, which allowed an attacker to escape a Hyper-V environment.