July Patch Tuesday Fixes 1 Zero-Day, 84 FlawsMicrosoft Also Officially Launches Windows Autopatch
Microsoft's newest bundle of patches includes a fix for a zero-day vulnerability actively exploited in the wild that allows hackers to elevate their system privileges.
The operating system giant's latest series of monthly fixes includes patches for 84 vulnerabilities, of which four are "critical" and the rest "important." This newest Patch Tuesday fixes vulnerabilities including privilege escalation flaws, remote code execution exploits, denial of service, security feature bypass and information disclosure, as well as Edge Chromium vulnerabilities.
"Top of the list for this month's 'patch-me-first' list has to be CVE-2022-22047," says Kev Breen, director of cyberthreat research at Immersive Labs.
The vulnerability exploits a bug in Windows client-server runtime subsystem elevation of privilege vulnerability that could let attackers gain access to the system privileges.
The client server runtime subsystem is an important part of the Windows operating system and is responsible for the graphical subsystem, including managing windows, drawing things on the screen and other related operating system functions.
Breen says this kind of vulnerability is typically exploitable after a target has already been compromised. But once elevated into system privileges, attackers could disable local services such as endpoint detection and security tools.
With system-level access, they can also deploy tools such as Mimikatz, "which can be used to recover even more admin and domain-level accounts, spreading the threat quickly," Breen tells Information Security Media Group. The vulnerability has a CVSS score of 7.8.
This patch release is the first to arrive after the Microsoft's much ballyhooed rollout of automated updating but Autopatch is mainly a way for enterprises using the company's cloud infrastructure for system administration to reach parity with their counterparts who have on-premises update servers.
In all, the patch drop addresses vulnerabilities in Microsoft Windows and Windows Components, Windows Azure components, Microsoft Defender for Endpoint, Microsoft Edge - Chromium-based, Office and Office Components, Windows BitLocker, Windows Hyper-V, Skype for Business and Microsoft Lync, Open-Source Software and Xbox.
Office Macros Live Another Day
Bugs of the type patched this month often are exploited via a malicious macro embedded in an Office document, writes Dustin Childs of TrendMicro's Zero Day Initiative.
"Which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default," Childs adds, alluding to Microsoft's about-face earlier this month on a decision to block macros by default on downloaded documents.
Macros are a favored method for hackers to gain control of machines. Just months ago, Ukrainian cybersecurity officials detected an attack using macros that attempted the "mass contamination of information resources of public authorities." In 2020, Microsoft warned of a phishing campaign using macros embedded in Excel spreadsheets.
Microsoft says it's still on track to be more aggressive with macros, pending "additional changes to enhance usability."
One of the key vulnerabilities in this Patch Tuesday is tracked as CVE-2022-22029, a Window Network File System remote code execution vulnerability with a CVSS score of 8.1.
Childs says this is the third month in a row that a critical-rated NFS bug is on the list. "While this one has a lower CVSS than the previous ones, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction," Childs writes.
"Microsoft says multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don't ignore this patch."
Microsoft also addressed CVE-2022-22038, a remote procedure call runtime remote code execution vulnerability with a CVSS score of 8.1. The vulnerability has been rated critical; it allows a remote attacker to exploit code on an affected system.
"While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high since an attacker would need to make 'repeated exploitation attempts' to take advantage of this bug, but again unless you are actively blocking RPC activity, you may not see these attempts," Childs says.
Vulnerabilities Addressed in Azure Site Recovery
Microsoft also resolved 33 vulnerabilities in Azure Site Recovery that could allow remote code execution, elevation of privilege or information disclosure.
"None are publicly disclosed or exploited and all are rated as important. To successfully exploit, an attacker must compromise admin credentials on one of the VMs associated with the configuration server or be an authenticated user logged on to the vulnerable system, depending on which of the 33 CVEs is being exploited," says Chris Goettl, vice president of product management at IT and security automation services provider Ivanti.
That doesn't mean there's no reason for concern, Goettl says. The high number of vulnerabilities being patched means they were identified by several independent researchers and anonymous parties. As a result, the knowledge of how to exploit these vulnerabilities is broadly distributed.