Microsoft patches two zero-days, 10 critical bugs

Two zero-day vulnerabilities – one of which has been previously disclosed and supposedly fixed twice – are among a total of 119 flaws fixed by Microsoft in its April 2022 Patch Tuesday update, alongside more than 20 Chromium vulnerabilities in the Edge browser.

The vulnerabilities in question are CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System Driver, which is exploited but not public; and CVE-2022-26904, an elevation of privilege vulnerability in the Windows User Profile Service, which is public but not exploited. Both vulnerabilities carry CVSS scores of between seven and eight, rated as important.

As noted above, CVE-2022-26904 is of particular interest this month as it was supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. It is known to be tricky to exploit as it requires a malicious actor to perfectly time their attack to win what is known as a “race condition”.

Out of the other vulnerabilities, 10 are rated as critical, 115 important and three moderate, making the April update the largest seen so far in 2022. More details on some of the other more impactful vulnerabilities this month can be found here.

Although large in its scope, the April drop may ultimately prove more noteworthy for being one of the last Patch Tuesday updates from Microsoft – at least in its current form. Earlier in April, Redmond revealed plans to roll out a new service called Windows Autopatch as a feature of Windows Enterprise E3 licences, covering Windows 10, 11 and Windows 365. This will become available in July 2022.

“This service will keep Windows and Office software on enrolled endpoints up to date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’,” said Microsoft’s Lior Bela.

Bela said the development of the service was prompted by the growing complexity of enterprise IT environments, which has vastly increased the number of potential vulnerabilities to patch, leading to security gaps when patches are not applied in a timely manner.

“Autopatch, by automating the management of updates, can provide timely response to changes and confidence around introducing new changes, and close the protection and productivity gaps,” said Bela.

“The value should be felt immediately by IT admins who won’t have to plan update roll-out and sequencing, and over the long term as increased bandwidth allows them more time to focus on driving value. Quality updates should enhance device performance and reduce help-desk tickets – feature updates should give users an optimal experience, with increased uptime and new tools to create and collaborate.”

At its core, the service will rely on a progressive roll-out of patches through a series of so-called Rings. In the future, the patch process will begin with a small core of devices used for test and validation purposes before cascading down into the rest of the enterprise estate more widely, with additional features dubbed Halt, Rollback and Selectivity that will come into play should something break.

Microsoft believes this will help it to improve the Autopatch service and provide peace of mind for end-user security teams.

“Keeping software up to date is one of the most effective preventative measures that an organisation can take. Cyber attacks aren’t magic, and by patching systems quickly, organisations can reduce the available attack surface,” said Tim Erlin, strategy vice-president at Tripwire. 

“Microsoft has long supported automatic updates, but that basic capability never addressed the myriad of potential issues of patching at scale. Autopatch aims to implement a more robust process for delivering updates, including testing and staged roll-outs.

“For organisations that were already using automatic updates, Autopatch should make their lives easier. And for organisations that didn’t apply updates automatically, Autopatch should make it possible for them to do so.”

More information on the Windows Autopatch service is available in an FAQ compiled by Microsoft.