Patch Day: Microsoft closes 119 security holes
Microsoft fixed a total of 119 vulnerabilities on Tuesday’s update in April. These include ten vulnerabilities that Microsoft classifies as critical and two 0-day vulnerabilities.
Patch Day on April 12 brings a number of updates that fix 119 vulnerabilities. This does not include the gaps plugged in Edge in the previous week. Microsoft classifies ten vulnerabilities as critical and identifies the rest as high risk. The gaps affect Windows, Defender, Hyper-V, DNS Server and Office, among others. One vulnerability (CVE-2022-24521) is already being used for attacks, and exploit code for another (CVE-2022-26904) is publicly available. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog.
The latest security update for Edge (Chromium) is version 100.0.1185.36, which has been available since April 7th. Like the more recent bug fix update 100.0.1185.39 from April 11, it is based on Chromium 100.0.4896.75 and fixes a Chromium vulnerability. On April 11, Google released a new update to Chrome 100.0.4896.88 that fixes another 11 vulnerabilities. A corresponding Edge update is still pending, but should be available before Easter.
Microsoft fixed six vulnerabilities in its Office products in April. Microsoft identifies all as high risk. Three of the vulnerabilities are suitable for injecting and executing code with prepared Office documents (RCE: Remote Code Execution). One of these vulnerabilities (CVE-2022-26903) also affects the mobile apps (Excel, Powerpoint, Word). The other two RCE vulnerabilities (CVE-2022-24473, CVE-2022-26901) are in Excel and also affect Office for Mac.
The majority of vulnerabilities, 101 this month, are spread across the various versions of Windows (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.
Network admins should pay particular attention to the CVE-2022-26815 vulnerability in Windows DNS Server. If dynamic updates are enabled, an attacker could inject code and run it with elevated privileges. Microsoft has closed a total of 18 security gaps in the DNS server. All are suitable for injecting and executing code.
▶The latest security updates
You should also prioritize the three critical vulnerabilities in Hyper-V if you use Hyper-V. If successfully exploited, code in the guest could escape from the virtual machine and run on the host. Hyper-V adds six more patched vulnerabilities that Microsoft classifies as high risk.
The RCE vulnerability CVE-2022-26809 in the RPC runtime library, which is classified as critical, appears suitable for worms, at least within a network. Microsoft reports the high CVSS score 9.8 for this (CVSS: Common Vulnerability Scoring System). Microsoft closed 15 security holes in the Windows print spooler this month. All are designated as high risk. In part, they resemble previously filled gaps. It is to be hoped that these updates will not cause problems again.
The vulnerability CVE-2022-24521 in the driver of the common log file system is already being exploited for attacks. An attacker who exploits this vulnerability can gain higher permissions (EoP: Elevation of Privilege). Since this alone does not get him to his goal, he will use a combination with an RCE vulnerability in the attack, for example in Acrobat Reader or Office. There is also an EOP vulnerability in the Windows user profile service with CVE-2022-26904. If successful, an attacker could execute code with system privileges by combining this vulnerability with an RCE bug. Sample exploit code for this vulnerability is publicly available. What’s more, there is already a Metasploit module for it.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 51 vulnerabilities. These include the aforementioned 0-day vulnerabilities CVE-2022-24521 and CVE-2022-26904.
Also in April there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is May 10, 2022.