Microsoft fixes four critical flaws in July Patch Tuesday
The company resolved one actively exploited zero-day vulnerability
Amid concerns that the introduction of the Windows Autopatch function could make Patch Tuesday less thrilling, Microsoft has released its monthly round of Patch Tuesday updates, resolving a total of 84 security flaws, including one zero-day.
Of all the vulnerabilities addressed this month, four are rated as 'Critical' and 80 are 'Important'.
Microsoft has also separately plugged two security holes in its Chromium-based Edge browser. One of these was a zero-day that Google said was being actively exploited in real-world attacks.
Products impacted by this month's security update include the Microsoft Windows and Windows Components; Office and Office Components; Windows Azure components; Windows BitLocker; Microsoft Defender for Endpoint; Windows Hyper-V; Xbox; Skype for Business and Microsoft Lync; and Open-Source Software.
The July security update includes patches for 52 elevation of privilege (EoP) vulnerabilities, 12 remote code execution (RCE) bugs, 11 information disclosure bugs, five denial of service (DoS) bugs, and four security feature bypass vulnerabilities.
The most serious vulnerability patched this month is CVE-2022-22047, a privilege escalation issue in the Windows Client Server Runtime Subsystem (CSRSS), which an attacker could exploit to obtain access to system rights.
Microsoft categorised it as an 'important' security issue, requiring low privileges to exploit.
"Coming in with a CVSS score of 7.8, it may not be the highest-scoring vulnerability on the list, but it has been flagged by Microsoft as being actively exploited in the wild by malicious attackers," said Kev Breen, director of cyber threat research at Immersive Labs.
This kind of vulnerability is often discovered after an adversary has already succeeded in compromising a target.
The most important aspect of the flaw is that it gives the attacker the ability to escalate their permissions to SYSTEM level.
"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly," Breen added.
CVE-2022-30221 is a 'critical' Windows Graphics Component RCE patched this month, with a CVSS score of 8.8 out of 10.
Because an attacker would need to persuade the target to connect to a malicious RDP server in order to install malware on the victim's system, Microsoft deemed exploitation 'less likely' than for 22047.
CVE-2022-22029 and CVE-2022-22039 are 'critical' bugs in the Windows Network File System (NFS). Microsoft rates the attack complexity for both as being high.
In order to exploit CVE-2022-22029, an attacker would need to invest time in repeated exploitation attempts by sending continuous or intermittent data, said Microsoft.
CVE-2022-22039, on the other hand, would require an attacker to win a race condition.
The fourth 'critical' flaw, identified as CVE-2022-22038, affects Windows and is a remote procedure call runtime RCE, with a CVSS score of 8.1.