July Patch Tuesday brings more than 80 fixes, one zero-day

Microsoft customers with Windows Enterprise E3 and E5 licences can now take advantage of automated patching with Redmond’s Windows Autopatch service – formally launched yesterday – but for everybody else, the latest Patch Tuesday update brings more than 80 fixes, including one actively exploited zero-day to which attention must be paid.

Tracked as CVE-2022-22047, the zero-day is in Windows Client Server Runtime Process (CSRSS), a highly important part of every Windows operating system that manages several critical processes.

Fortunately, successful exploitation requires an attacker to have an existing foothold on the target’s systems, so it carries a comparatively low CVSS score of just 7.8. However, Microsoft said it is under active attack and if successfully exploited, could allow the attacker to execute code with SYSTEM-level privileges.

Assessing the potential impact of CVE-2022-22047, Immersive Labs’ Kev Breen said: “This kind of vulnerability is typically seen after a target has already been compromised. Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM.

“With this level of access, the attackers are able to disable local services such as endpoint detection and security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly,” said Breen.

Mike Walters, co-founder of Action1, a supplier of cloud remote monitoring and management services, added: “Vulnerabilities of this type are great for taking control over a workstation or server when they are paired with phishing attacks that use Office documents with macros. This vulnerability can likely be combined with Follina to gain full control over a Windows endpoint.”

The value of macros in successfully crafting an attack that exploits CVE-2022-22047 will make it of additional concern for many, given Microsoft’s suspension of its new policy to block macros by default late last week, apparently only temporarily.

Elsewhere, Redmond’s July drop contains fixes for four critical vulnerabilities, all of which enable remote code execution. These are, in numerical order, CVE-2022-22029 in Windows Network File System; CVE-2022-22038 in Remote Procedure Call Runtime; CVE-2022-22039, also in Windows Network File System; and finally, CVE-2022-30221 in Windows Graphics Component.

Of these four vulnerabilities, the first three would be relatively tricky for attackers to exploit because they require a large amount of sustained data to be transmitted, while the fourth requires an attacker to run a malicious remote desktop (RDP) server, and convince a user to connect to it. “This is not as far-fetched as it first sounds,” said Breen. “As RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters.”

Looking beyond the most impactful vulnerabilities, the July drop is also notable for a high number of fixes that address a whopping 33 elevation of privilege vulnerabilities in the Azure Site Recovery service.

None of these vulnerabilities are being actively exploited, but according to Chris Goettl of Ivanti, they are highly problematic. “The concern is in the number of vulnerabilities resolved,” he said. “They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed.

“The resolution is also not simple. It requires signing into each process server as an administrator, downloading and installing the latest version. Vulnerabilities like this are often easy to lose track of as they are not managed by the typical patch management process.”

Goettl also called out four print-spooler vulnerabilities – again none previously disclosed or exploited, but still risky in terms of the disruption they could potentially cause to organisations. “Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those Patch Tuesday events the changes have resulted in operational impacts,” he said.

“This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organisation,” said Goettl. “The bigger risk is if this blocks an organisation from pushing the July OS update it could prevent resolving critical vulnerabilities and the zero-day vulnerability CVE-2022-22047, which is also included in the cumulative OS update.”