Microsoft released its monthly round of Patch Tuesday updates to fix 84 new security vulnerabilities spanning multiple product categories, including a zero-day vulnerability that is actively being targeted.
Of the 84 deficiencies, four are classified as “Critical” and 80 as “Important”. Also fixed separately by the tech giant were two other bugs in the Chromium-based Edge browser, one of which fixes another zero-day flaw that Google has exploited as being active in real-world attacks.
Topping this month’s list of updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be exploited by an attacker to to obtain permissions.
“With this level of access, attackers are able to disable local services such as endpoint detection and security tools,” Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. “With SYSTEM access, they can also use tools like Mimikatz, which can recover even more accounts at the admin and domain levels, quickly spreading the threat.”
Very little is known about the type and extent of the attacks apart from an “Exploitation Detected” assessment by Microsoft. The company’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the bug.
In addition to CVE-2022-22047, two other Elevation of Privilege bugs have been fixed in the same component – CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) – reported by Google Project Zero researcher Sergei Glazunov.
“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.
“Because the AppContainer environment is considered a defensible security boundary, any process that can bypass the boundary is considered a scope change. The attacker could then run code or access resources with a higher integrity level than the AppContainer execution environment. “
Also fixed by Microsoft are a number of bugs when executing remote code in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime ( CVE-2022-22038) and Windows Shell (CVE-2022-30222).
The update also features patching of up to 32 issues in the Azure Site Recovery Business Continuity Service. Two of these errors are related to remote code execution and the remaining 30 are related to privilege escalation.
“Successful exploitation […] requires an attacker to compromise administrator credentials for one of the VMs connected to the configuration server,” the company said, adding that the flaws “do not allow disclosure of sensitive information, but could allow an attacker to modify data that could result in the service not.” be available.”
Additionally, Microsoft’s July update includes June 2022 after a brief breather, underscoring a seemingly never-ending stream of flaws plaguing the technology.
Rounding out the patchday updates are two notable fixes for manipulation vulnerabilities in Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637), as well as three denial-of-service (DoS) vulnerabilities in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).
Third-Party Software Patches
In addition to Microsoft, security updates from other vendors have also been released since the beginning of the month to address several vulnerabilities, including —