IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's massive 145-vulnerability Patch Tuesday fixes ten critical exploits

This month's round of patches is now available with some exploits proving to be particularly dangerous

Microsoft has patched considerably more than 100 security vulnerabilities this week, as part of its monthly ‘Patch Tuesday’, including ten rated ‘critical’.

The 145 now-fixed vulnerabilities were dominated by privilege escalation flaws and remote code execution (RCE) vulnerabilities, a total of 55 and 47 respectively. Denial of service, information disclosure, and spoofing flaws comprised the majority of the remainder.

Of the ten critical-rated vulnerabilities, three of them scored nearly maximum marks (9.8), representing a serious threat to organisations. 

All three 9.8-rated vulnerabilities are RCE flaws that require a low degree of attack complexity in order to exploit, two of which are wormable, according to Zero Day Initiative (ZDI).

The first of the two wormable flaws is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is usually blocked at the network perimeter, ZDI said, but it’s still a highly dangerous vulnerability that should be patched swiftly.

The second wormable attack can be exploited through a combination of two vulnerabilities amounting to a critical rating, both affecting the Windows Network File System (NFS) and tracked as CVE-2022-24491 and CVE-2022-24497.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” said ZDI. “Again, that adds up to a wormable bug – at least between NFS servers. 

“Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Another of the more notable vulnerabilities was CVE-2022-26904. Found jointly by CrowdStrike and the US National Security Agency, it’s a privilege escalation issue that can be exploited if an attacker can win a race condition.

Microsoft categorised the flaw as ‘high’ complexity in order to exploit it and there is functional proof-of-concept (PoC) code available that works in most situations where the vulnerability exists, it said.

Its CVSS v3 score is comparatively lower than the aforementioned critical vulnerabilities, scoring 7.0, but ZDI also noted that there is a functional Metasploit module also available for CVE-2022-26904. This means the widely abused penetration testing software now has pre-built functionality to exploit the security vulnerability, making attacks easier for cyber criminals.

Related Resource

The Total Economic Impact™ of IBM Security MaaS360 with Watson

Cost savings and business benefits enabled by MaaS360

Whitepaper cover with title and green square graphic to rightFree Download

As with all security vulnerabilities and especially zero-day exploits, businesses are urged to apply the patches as soon as possible to prevent cyber attacks and potential data loss. Now that these vulnerabilities are published, prospective attackers can analyse the exploit methodology and use it to their advantage.

“With so many vulnerabilities to manage, it can be difficult to prioritise,” said Greg Wiseman, Lead Product Manager at Rapid7 to IT Pro. “Thankfully, most of this month’s CVEs can be addressed by patching the core operating system

"Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.”

Full details of this week's round of patches can be found in Microsoft's detailed rundown.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Actively exploited Windows vulnerability reaches peak severity when paired with popular attack
Security

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

11 May 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022