Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild.
Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.
These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.
Chief among the resolved bugs is CVE-2022-26925 (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."
It's also worth noting that the severity rating of the flaw would be elevated to 9.8 if it were to be chained with NTLM relay attacks on Active Directory Certificate Services (AD CS) such as PetitPotam.
"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.
The two other publicly-known vulnerabilities are as follows -
- CVE-2022-29972 (CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka SynLapse)
- CVE-2022-22713 (CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability
Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative that affected users apply the updates as soon as possible.
Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Graphics (CVE-2022-26927), Windows Kernel (CVE-2022-29133), Remote Procedure Call Runtime (CVE-2022-22019), and Visual Studio Code (CVE-2022-30129).
Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting 30 of the 74 flaws, counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.
What's more, CVE-2022-22019 follows an incomplete patch for three RCE vulnerabilities in the Remote Procedure Call (RPC) runtime library — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.
Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai said.
The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 and CVE-2022-29132) and two information disclosure (CVE-2022-29114 and CVE-2022-29140) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.
Software Patches from Other Vendors
Besides Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —
- Adobe
- AMD
- Android
- Cisco
- Citrix
- Dell
- F5
- Google Chrome
- HP
- Intel
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Qualcomm
- SAP
- Schneider Electric, and
- Siemens