Microsoft fixed a total of 74 vulnerabilities on Tuesday’s update in May. These include seven vulnerabilities that Microsoft classifies as critical and three 0-day vulnerabilities.
Patch Day on May 10 brought a number of updates that fix 74 vulnerabilities. That is significantly less than in the previous month. Microsoft classifies seven vulnerabilities as critical and the rest, with the exception of one vulnerability, as high risk. The gaps affect Windows, Office, Hyper-V, Exchange and Azure, among others. One vulnerability (CVE-2022-26925) is already being used for attacks, and two others were previously public knowledge. Microsoft offers sparse details on the vulnerabilities to look for yourself in the security update guide. Dustin Childs prepares the topic of Update Tuesday in a much clearer way in the Trend Micro ZDI blog.
The latest security update for Edge (Chromium) is version 101.0.1210.32, which has been available since April 28th. Like the more recent bug fix update 101.0.1210.39 from May 5th, it is based on Chromium 101.0.4951.54 and fixes several Chromium vulnerabilities. On May 10, Google released a new update to Chrome 101.0.4951.64 that fixes another 13 vulnerabilities. A corresponding Edge update is still pending, but should follow this week.
Microsoft fixed four vulnerabilities in its Office products in May. Microsoft identifies all as high risk. Three of the vulnerabilities are suitable for injecting and executing code with prepared Office documents (RCE: Remote Code Execution). One of these vulnerabilities (CVE-2022-29108) affects the Sharepoint Server. The other two RCE vulnerabilities (CVE-2022-29109, CVE-2022-29110) are in Excel.
The majority of vulnerabilities, 62 this month, are spread across the various versions of Windows (8.1 and newer), for which Microsoft still offers security updates for all. Windows 7 and Server 2008 R2 are still mentioned in the security reports, but only organizations participating in the paid ESU program will receive updates.
Network administrators should pay particular attention to the CVE-2022-26925 spoofing vulnerability in Windows LSA (Local Security Authority Subsystem). An attacker who exploited this vulnerability could trick a domain controller into authenticating with another server using NTLM. The attacker sits virtually between the two and reads along (“man-in-the-middle”). This vulnerability is already being exploited for attacks.
If you also use computers with other operating systems in your network, such as Linux or Unix, the service for the Network File System (NFS) may be activated on Windows machines. Then you should immediately check and roll out the patch against the CVE-2022-26937 vulnerability, which is classified as critical. The vulnerability has a CVSS score of 9.8 and allows a remote attacker to execute code in the context of the NFS service. According to Microsoft, NFS v4.1 is not vulnerable. So an upgrade from NFS v2 or v3 to v4.1 might also make sense.
Two vulnerabilities in the Windows implementation of the Point-to-Point Tunneling Protocol (PPTP) could allow an attacker to execute injected code (RCE) and are therefore classified as critical. Microsoft has closed ten RCE gaps in LDAP (Lightweight Directory Access Protocol) alone – and one in the Windows Fax service.
Microsoft has fixed the CVE-2022-21978 vulnerability in Exchange Server 2013 to 2019. A user who has high permissions on the Exchange Server (e.g. admin) can elevate themselves to domain administrator if they exploit this gap. In order to successfully install the update, Microsoft specifies further steps that you should carry out in the specified order, depending on the Exchange version, before or after installing the update.
Insight Software: Magnitude Simba Amazon Redshift ODBC driver
The third vulnerability that was publicly disclosed in advance affects a number of Microsoft services. The vulnerability is not in a Microsoft product, but in a database driver that connects services like Azure Data Factory to Amazon Redshift. The patch against the CVE-2022-29972 vulnerability, which is classified as critical, was released before this update Tuesday. Microsoft has published a blog post and security advisory (the first ever this year) on this vulnerability.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems running Windows 7 or Server 2008 R2 will receive updates this month that close 28 vulnerabilities. These include four security gaps that have been identified as critical, such as the PPTP gaps mentioned above and the NFS vulnerability.
Also in May there is a new Windows tool for removing malicious software. The next scheduled update Tuesday is June 14, 2022.