Microsoft’s latest monthly security updates for July have been released this week, with 84 total vulnerabilities fixed including one actively exploited zero-day.
The zero-day (CVE-2022-22047) is a privilege escalation flaw affecting Windows Client/Server Runtime Submission (CSRSS), the exploitation of which could grant attackers system privileges.
It has been given a CVSSv3 score of 7.8/10 - a ‘high’ rating - and Tenable said it is a vulnerability that is most likely to be used after initially gaining a foothold in an organisation.
“This type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application,” it said.
No other details on the zero-day have been released other than Microsoft’s assessment that exploitation requires a low level of complexity, albeit through a local attack vector.
This means an attacker would either have to have their hands on the victim’s keyboard or be able to control a machine remotely, supporting Tenable’s conclusion that it would likely be used after initially compromising an organisation.
Given that CVE-2022-22047 is the only actively exploited bug in this month’s list of patches, businesses are more seriously advised to patch this one especially.
The US’ cyber security authority CISA added the zero-day to its list of mandatory patches that all federal civilian and executive branch agencies must deploy pursuant to the binding operational directive 22-01, first imposed last year but regularly updated since.
Four critical-rated vulnerabilities were fixed in this month’s ‘Patch Tuesday’, though none of these are believed to have been actively exploited.
The first of these is CVE-2022-30222 which has been given a CVSSv3 score of 8.4/10. The remote code execution (RCE) vulnerability affects PCs with a Japanese language pack installed and attackers can use the input method editor (IME) to gain system privileges.
An IME is software that allows users to input characters that aren’t typically supported by qwerty keyboards. Users type combinations of keys to display characters that otherwise aren’t present on their keyboard, rather than hitting dedicated buttons for specific characters.
CVE-2022-30216 received a severity rating of 8.8/10 and is a Windows Server service tampering vulnerability, the exploitation of which is “more likely” according to Microsoft.
To exploit the bug, an attacker would need to be authenticated which may limit the real-world effectiveness, unless the attacker could upload a malicious certificate to the Windows Server service.
Another 8.8-rated bug was CVE-2022-30221, an RCE flaw affecting the Windows Graphics Component. Exploitation is less likely with this one given that a victim would have to be convinced to connect to a remote desktop protocol (RDP) server, limiting real-world impact.
Regardless, if a business’ employee was convinced to join an attacker-controlled RDP server, they could exploit the flaw to execute code on the victim’s system.
The final ‘critical’ vulnerability for this month is the 8.8-rated CVE-2022-20226, a privilege escalation bug again affecting Windows CSRSS, like the aforementioned zero-day.
Exploitation is assessed as “less likely” again by Microsoft, but an authenticated attacker could send a specially crafted request to the CSRSS to elevate their privileges from AppContainer to the system, before executing code or accessing resources.
In summary, July’s Patch Tuesday has been described by some experts as “boring” given the low number of seriously threatening security vulnerabilities compared to months gone by.
For the full list of vulnerabilities and Microsoft’s assessments on each, visit the company’s dedicated security update guide.
-
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Neural interfaces promise to make all tech accessible – it’s not that simpleColumn Better consideration of ethics and practical implementation are needed if disabled people are to benefit from neural interfaces
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
