Tech

Patch Day: Microsoft closes 0-day gap in Windows






Microsoft fixed a total of 84 vulnerabilities on Tuesday’s update in July. These include four vulnerabilities that Microsoft classifies as critical and one 0-day vulnerability.

On Patch Day on July 12, Microsoft provided a number of updates that fix 84 vulnerabilities. This is again significantly more than in the previous month. Microsoft classifies four vulnerabilities as critical and identifies the rest as high risk. The gaps affect Windows, Office and last but not least Azure. One vulnerability (CVE-2022-22047) is already being used for attacks. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog – always with an eye on admins who look after company networks.

browsers

The most recent security update for Edge (Chromium) is version 103.0.1245.41 from July 6th. It is based on Chromium 103.0.5060.114 and fixes several Chromium vulnerabilities, including a 0-day vulnerability. Google released a corresponding security update for Chrome on July 4th.

Office

In July, Microsoft closed two vulnerabilities in its Office products, both of which are classified as high risk. One of the vulnerabilities (CVE-2022-33633) is suitable for injecting and executing code (RCE: Remote Code Execution). It affects Skype for Business and Lynx. The second vulnerability (CVE-2022-33632) can be used to bypass security mechanisms when opening prepared Office documents (SFB: Security Feature Bypass).

Windows

The majority of vulnerabilities, 49 this month, are spread across the various versions of Windows (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.

Under fire

According to Microsoft, the CVE-2022-22047 vulnerability in the Windows CSRSS (Client/Server Runtime Sub-System) of all Windows versions, including Server, is already being used for attacks. An attacker who exploits this vulnerability can gain system privileges. Microsoft has not announced any further details about the attacks. Such gaps are typically used in combination with an RCE vulnerability (RCE: Remote Code Execution), which can be found in Acrobat Reader or Office, for example. The injected code can then be executed with system privileges.

Critical Windows vulnerabilities

The vulnerability with the highest CVSS score (8.8) this patch day is CVE-2022-30221, an RCE vulnerability that affects all versions of Windows, including servers. It is in the graphics component of the system and can be exploited via RDP (Remote Desktop Protocol) from version 8.0. An attacker would have to trick a user into connecting to an RDP server under the attacker’s control. Then the attacker could inject and execute code.

Two RCE vulnerabilities classified as critical (CVE-2022-22029, CVE-2022-22039) affect the Network File System (NFS) in all versions of Windows Server (2008 to 2022). An attacker can use repeated NFS calls to inject and execute code. However, only NFSv3 is vulnerable to CVE-2022-22029. The RPC (Remote Procedure Call Runtime) vulnerability CVE-2022-22038 affects all Windows versions from 8.1, including servers. Dustin Childs believes that this vulnerability could be suitable for worms if attacks are carried out with elevated permissions.

Various security gaps uncovered in the Pwn2Own hacker competition in May have still not been eliminated.

Patch rain for Azure

Microsoft fixed 33 vulnerabilities in its Azure cloud platform this month. Azure Site Recovery alone has 32 of them, two are RCE vulnerabilities. The remaining 30 vulnerabilities are suitable for providing an attacker with higher privileges. CVE-2022-30187 is a data leak in the Azure Storage Library.

Extended Security Updates (ESU)

Companies and organizations participating in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 37 vulnerabilities. These include three of the vulnerabilities identified as critical above and the 0-day vulnerability CVE-2022-22047.

Also in July there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is August 9, 2022.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button