Tune in as our team of security experts dive into critical information you need to know. We're unpacking critical vulnerabilities, recapping Microsoft patch Tuesday, highlighting zero-days and other patch information, and much more.
April 2022 is proving to be a hot month with Microsoft releasing over 100 security fixes for software that resolves critical issues including two zero-days.
- 47 Elevation of Privilege Vulnerabilities
- 0 Security Feature Bypass Vulnerabilities
- 47 Remote Code Execution Vulnerabilities
- 13 Information Disclosure Vulnerabilities
- 9 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
- 26 Edge - Chromium Vulnerabilities
For information about the non-security Windows updates, check out the Bleeping Computer articles: Windows 10 KB5012599 and KB5012591 updates and Windows 11 KB5012592 update.
The zero-day vulnerabilities resolved in this update are:
- CVE-2022-26904: Windows User Profile Service Elevation of Privilege Vulnerability
- This known zero-day flaw impacts the Windows User Profile Service and is described as an EoP vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered 'high', as "successful exploitation of this vulnerability requires an attacker to win a race condition," according to Microsoft.
- CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability
- This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now.
Other noteworthy vulnerabilities include:
- Windows Remote Procedure Call (RPC) Runtime RCE (CVE-2022-26809)
- Implement a strategy of device and edge firewall network segmentation for inbound, outbound, and lateral protection
- This is not exclusive to SMB as variety of transports can be used such as TCP/135
- Windows Network File System RCE (CVE-2022-24491)
- Vulnerability is exploitable for systems that have the NFS role enabled
- Lightweight Directory Access Protocol RCE (CVE-2022-26919)
- Severity is Critical but with High complexity as it requires an attacker to take additional action prior to exploitation to prep the targeted environment
- VMware Remote Code Execution (CVE-2022-22954)
- Server-side template injection resulting in RCE, see hotfixes for advisory mitigations
- Apache Struts2 (associated to CVE-2021-31805)
- Upgrade to 2.5.30 or greater to fix a critical OGNL (Object-Graph Navigation Language) Injection vulnerability
- Implement a strategy of device and edge firewall network segmentation for inbound, outbound, and lateral protection