A week after Microsoft announced the Windows Autopatch feature and declared that, come July, the tradition of Patch Tuesday will end, it’s Patch Tuesday again, and the company has issued more than 100 security fixes for software that resolve critical issues, including two zero-day vulnerabilities.
See Also: Fireside Chat US | Why Complexity is the Enemy of Microsoft 365 Security: Reducing Risk with Purpose-Built Solutions
Microsoft released 128 new patches addressing vulnerabilities affecting Microsoft Windows and Windows components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler components.
In total, Microsoft identified 145 vulnerabilities, including 17 Microsoft Edge vulnerabilities, in the April 2022 update. Ten are classified as “critical” because they allow remote code execution.
This Patch Tuesday release also includes fixes for two zero-day vulnerabilities. One, tracked as CVE-2022-24521, is known to be actively exploited, and the other, tracked as CVE-2022-26904, is known to be publicly exposed.
Tuesday’s update fixes vulnerabilities including numerous privilege escalation flaws, remote code execution exploits, spoofing issues, denial-of-service, security feature bypass and information disclosure, as well as Edge Chromium vulnerabilities, according to the patch update statement.
“Of the 128 new CVEs released today, 10 are rated Critical, 115 are rated Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. This large volume of patches hasn’t been seen since the fall of 2020,” says Dustin Childs, a security analyst for Zero Day Initiative, which is run by cybersecurity firm Trend Micro. Childs adds that “this level is similar to what we saw in the first quarter of last year.”
Notable Critical Vulnerabilities
CVE-2022-26809 is a Remote Procedure Call runtime library remote code execution vulnerability. The bug, which has a CVSS score of 9.8, or critical, allows a remote attacker to execute code at high privileges on an affected system.
“Since no user interaction is required, these factors combine to make this wormable, at least between the machine where RPC can be reached. However, the static port used here – TCP port 135 – is typically blocked at the network perimeter. Still, this bug could be used for lateral movement by an attacker. Definitely test and deploy this one quickly,” Childs says.
Microsoft offers mitigations for this vulnerability, which include blocking TCP port 445 at the enterprise perimeter firewall and following the company’s guidelines to secure SMB traffic.
CVE-2022-24491 and CVE-2022-24497
CVE-2022-24491 and CVE-2022-24497 are both Windows Network File System remote code execution vulnerabilities that received a CVSS score of 9.8.
“An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. This vulnerability is only exploitable for systems that have the NFS role enabled,” Debra M. Fezza Reed, solutions architect at Qualys, tells Information Security Media Group.
“Similar to RPC, this is often blocked at the network perimeter,” Childs says. Microsoft provides guidance on how the RPC port multiplexer – port 2049 -is firewall-friendly and simplifies the deployment of NFS, he adds.
CVE-2022-26815 is a Windows DNS Server remote code execution vulnerability.
Childs says it is the most severe of the 18 DNS Server bugs receiving patches this month and “is very similar to one patched back in February, which makes one wonder if this bug is the result of a failed patch.” He says dynamic updates must be enabled for a server to be affected by CVE-2022-26815, but it’s still crucial to patch the flaw.
CVE-2022-24521 is an elevation of privilege vulnerability in Windows Common Log File System Driver affecting all Windows Operating System versions. Tyler Reguly, manager of security research and development at Tripwire, tells ISMG that the vulnerability was not previously publicly disclosed, and Microsoft is now reporting that it has seen active exploitation of this vulnerability in the wild.
“The vulnerability can lead to elevation of privilege by exploiting a flaw in the Windows Common Log File Systemdriver. CLFS is a general-purpose logging service that can be used by both user and kernel-mode software. Patches have been released for CLFS monthly since September 2021 with only one exception – November 2021. From September 2021 until today, we have seen 18 vulnerabilities patched within CLFS,” Reguly says.
The other zero-day vulnerability resolved is a publicly disclosed vulnerability tracked as CVE-2022-26904, which is an elevation of privilege vulnerability in Windows User Profile Service.
A publicly disclosed vulnerability means enough information may have been made publicly available prior to, or simultaneous with, the patch being made available, which gives the threat actor an additional advantage to create a weaponized exploit quicker than defenders can plug the vulnerability.
“This vulnerability affects all Windows operating system versions,” Childs says.