Headline
Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now
July’s security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.
Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.
The July security update also includes fixes for four elevation of privilege vulnerabilities in the company’s perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.
Priority One: CVE-2022-22047
Security experts who reviewed Microsoft’s latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as “Important,” giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July’s update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.
“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” an analysis on Trend Micro Zero Day Initiative’s blog noted. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system.” Attacks of this type often leverage macros, which is why Microsoft’s recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.
Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft’s characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. “Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month,” he says.
Other Bugs That Need Urgent Attention
Other bugs in Microsoft’s July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.
CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. “While this is listed at 'Tampering’, an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution,” Trend Micro’s ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”
CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker “to invest time in repeated exploitation attempts through sending constant or intermittent data.” Trend Micro’s ZDI assessed the bug as having properties that could potentially make it wormable. “If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly,” the security vendor noted.
CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system’s user, Microsoft said.
“On the surface, this one looks nasty,” Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. “This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters,” Breen said.
CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.
“Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability,” Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. “Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch,” Breen said.
Windows Print Spooler Flaws Make a Comeback
Microsoft’s July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.
“We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527),” said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.
The risk with these four fixes is the potential to impact print functionality, Ivanti’s Goettl says.
“Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts,” he says. “This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization.”
Surfeit of Azure Site Recovery Bugs
Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. “They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed,” he says.
And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. “Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process,” he notes.
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.
Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.
A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the
Hello everyone! Microsoft has been acting weird lately. I mean the recent publication of a propaganda report about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn’t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in […]
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence. It took no time for the internet at large to take this tragedy and immediately try to spin it to the...
Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.
July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.
July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.
July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22041, CVE-2022-30206, CVE-2022-30226.
Windows Shell Remote Code Execution Vulnerability.
Windows Graphics Component Remote Code Execution Vulnerability.
Windows Server Service Tampering Vulnerability.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22022, CVE-2022-22041, CVE-2022-30226.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22022, CVE-2022-22041, CVE-2022-30206.
Remote Procedure Call Runtime Remote Code Execution Vulnerability.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22022, CVE-2022-30206, CVE-2022-30226.
Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.
By Jon Munshaw and Tiago Pereira. Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July's security update... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Jon Munshaw and Tiago Pereira. Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July's security update... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Jon Munshaw and Tiago Pereira. Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July's security update... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure. "Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites," Cisco Talos researcher Paul Eubanks
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.
Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections.