Security
Headlines
HeadlinesLatestCVEs

Headline

CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

Threatpost
#vulnerability#mac#windows#microsoft#rce#auth#zero_day

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

A Windows 11 vulnerability, part of Microsoft’s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.

The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

The CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft’s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on Tuesday July 5.

Researchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is “medium”. In a bulletin, researchers explain the downgraded rating because an adversary needs advanced “local” or physical access to the targeted system to exploit the bug and a patch is available.

That said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.

“Although there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,” FortiGuard Labs wrote.

Office and Adobe Documents Entry Points

While the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a report by The Record.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” wrote Trend Micro’s Zero Day Initiative (ZDI) in its Patch Tuesday roundup last week.

“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default,” wrote ZDI author Dustin Childs.

Microsoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.

CISA added the Microsoft bug to its running list of known exploited vulnerabilities on July 7 (search “CVE-2022-22047” to find the entry) and recommends simply, “apply updates per vendor instructions”.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Image: Courtesy of Microsoft

Related news

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

Apple Just Patched 37 iPhone Security Bugs

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits

A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the

Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery

Hello everyone! Microsoft has been acting weird lately. I mean the recent publication of a propaganda report about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn’t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in […]

Threat Source newsletter (July 21, 2022) — No topic is safe from being targeted by fake news and disinformation

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited.  One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence.  It took no time for the internet at large to take this tragedy and immediately try to spin it to the...

Update now—July Patch Tuesday patches include fix for exploited zero-day

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one

Microsoft Patch Tuesday, July 2022 Edition

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

CVE-2022-22047

Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft Patch Tuesday for July 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Tiago Pereira.  Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.  July's security update... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Threatpost: Latest News

Student Loan Breach Exposes 2.5M Records