Microsoft Fixes New Bugs this Month, Including Public Aware & Weaponized Threats

There are 10 Rated Critical and 115 patches rated Important with the remaining marked Moderate. This includes:

• Microsoft Windows and Windows Components
• Microsoft Defender and Defender for Endpoint
• Microsoft Dynamics
• Microsoft Edge (Chromium-based)
• Exchange Server
• Office and Office Components
• SharePoint Server
• Windows Hyper-V, DNS Server
• Skype for Business
• .NET and Visual Studio
• Windows App Store
• Windows Print Spooler Components

Year 3 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month as well.

Robert Brown, Head of Customer Success for Syxsense said, “We have an increase of patches fixed in this release which matches what we had released last year, and is almost twice as many as last month.  There is both a weaponized threat and a Public Aware threat so right away you have updates to prioritize this month.  We also have an increase of Critical updates this month, increasing from 3 last month to 10 this month.”

Top April 2022 Patches and Vulnerabilities

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend entering the CVE numbers below into your patch management solution and deploying as soon as possible.

1. CVE-2022-24521: Windows Common Log File System Driver Elevation of Privilege Vulnerability

The vulnerability exists due to a boundary error within the Windows Common Log File System Driver. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.

Syxscore

• Vendor Severity: Important
• CVSS: 7.8
• Weaponized: Yes
• Public Aware: No
• Countermeasure: No 

Syxscore Risk

• Attack Vector: Local
• Attack Complexity: Low
• Privileges: Low
• User Interaction: None
• Scope (Jump Point): Unchanged / No

2. CVE-2022-26904: Windows User Profile Service Elevation of Privilege Vulnerability

The vulnerability exists due to a race condition in Windows User Profile Service. A local user can exploit the race and escalate privileges on the system.

Syxscore

• Vendor Severity: Important
• CVSS: 7.0
• Weaponized: No
• Public Aware: Yes
• Countermeasure: No

Syxscore Risk

• Attack Vector: Local
• Attack Complexity: High
• Privileges: Low
• User Interaction: None
• Scope (Jump Point): Unchanged / No

3. CVE-2022-26809: Remote Procedure Call Runtime Remote Code Execution Vulnerability

The vulnerability could allow a remote attacker to executed code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached.

Syxscore

• Vendor Severity: Critical
• CVSS: 9.8
• Weaponized: No
• Public Aware: No
• Countermeasure: Yes

Syxscore Risk

• Attack Vector: Network
• Attack Complexity: Low
• Privileges: None
• User Interaction: None
• Scope (Jump Point): Unchanged / No