Security news that informs and inspires

Microsoft Fixes Windows Flaw Under Active Attack

Microsoft has issued patches addressing over 80 bugs as part of its regularly scheduled July security updates, including a Windows vulnerability that is under active attack.

The zero-day flaw (CVE-2022-22047) is an elevation-of-privilege bug in the Windows Client Server Runtime Subsystem (CSRSS). If exploited by an attacker, the important-severity flaw could be used to gain SYSTEM privileges. Microsoft did not release any further details on how the flaw is being exploited or how widespread attacks are. The flaw’s attack complexity and privileges required are listed as “low,” however.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” according to an analysis by Dustin Childs with Trend Micro’s Zero Day Initiative on Tuesday. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system.”

Several Windows and Windows Server versions are impacted, including versions of Windows 7, 8.1, 10 and 11, and versions of Windows Server 2008, 2012, 2016, 2019 and 2022.

Of the total 84 flaws addressed on Tuesday, four are rated critical and 80 are rated important in severity. One of the critical vulnerabilities includes a remote code execution bug (CVE-2022-30221) in the Windows Graphics Component. Exploitation for this flaw is listed as “less likely” because attackers would need to convince targeted users to connect to a malicious RDP server to carry out the attack. If they are able to do so, the malicious server could then execute code on targeted systems in the context of the targeted user.

The critical bugs also include two remote code execution flaws in the Windows Network File System (CVE-2022-22029 and CVE-2022-22039), which could both be exploited over the network by making unauthenticated, specially crafted calls to a Network File System service in order to trigger the RCE attack; and another RCE flaw in the Remote Procedure Call Runtime feature (CVE-2022-22038).

However, exploitation is also listed as “less likely” for all of these bugs, particularly as successful exploitation for CVE-2022-22029 and CVE-2022-22038 requires attackers to invest time in repeated exploitation attempts, by sending constant or intermittent data.

Meanwhile, “CVE-2022-22039 is another remote code execution flaw in Windows Network File System that requires an attacker to win a race condition to exploit it, making this vulnerability less likely to be exploited,” according to Jon Munshaw and Tiago Pereira, with Cisco Talos, in a Tuesday analysis. Other bugs of note this month include several important-severity flaws that are listed as “more likely” to be exploited; including an elevation of privilege flaw in the Windows Common Log File System Driver (CVE-2022-30220) that if exploited could give attackers SYSTEM privileges, and a Windows Server tampering flaw (CVE-2022-30216) that could allow an authenticated attacker to remotely upload a certificate to the Server service (a malicious certificate needs to first be imported on an affected system for successful exploitation).

For the latter, “while tampering bugs don’t often get much attention, Microsoft does give this its highest exploit index rating, meaning they expect active exploits within 30 days,” according to Childs. “Definitely test and deploy this patch quickly – especially to your critical servers.”