Microsoft’s latest monthly security updates for July have been released this week, with 84 total vulnerabilities fixed including one actively exploited zero-day.
The zero-day (CVE-2022-22047) is a privilege escalation flaw affecting Windows Client/Server Runtime Submission (CSRSS), the exploitation of which could grant attackers system privileges.
It has been given a CVSSv3 score of 7.8/10 - a ‘high’ rating - and Tenable said it is a vulnerability that is most likely to be used after initially gaining a foothold in an organisation.
“This type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application,” it said.
No other details on the zero-day have been released other than Microsoft’s assessment that exploitation requires a low level of complexity, albeit through a local attack vector.
This means an attacker would either have to have their hands on the victim’s keyboard or be able to control a machine remotely, supporting Tenable’s conclusion that it would likely be used after initially compromising an organisation.
Given that CVE-2022-22047 is the only actively exploited bug in this month’s list of patches, businesses are more seriously advised to patch this one especially.
The US’ cyber security authority CISA added the zero-day to its list of mandatory patches that all federal civilian and executive branch agencies must deploy pursuant to the binding operational directive 22-01, first imposed last year but regularly updated since.
Four critical-rated vulnerabilities were fixed in this month’s ‘Patch Tuesday’, though none of these are believed to have been actively exploited.
The first of these is CVE-2022-30222 which has been given a CVSSv3 score of 8.4/10. The remote code execution (RCE) vulnerability affects PCs with a Japanese language pack installed and attackers can use the input method editor (IME) to gain system privileges.
An IME is software that allows users to input characters that aren’t typically supported by qwerty keyboards. Users type combinations of keys to display characters that otherwise aren’t present on their keyboard, rather than hitting dedicated buttons for specific characters.
CVE-2022-30216 received a severity rating of 8.8/10 and is a Windows Server service tampering vulnerability, the exploitation of which is “more likely” according to Microsoft.
To exploit the bug, an attacker would need to be authenticated which may limit the real-world effectiveness, unless the attacker could upload a malicious certificate to the Windows Server service.
Another 8.8-rated bug was CVE-2022-30221, an RCE flaw affecting the Windows Graphics Component. Exploitation is less likely with this one given that a victim would have to be convinced to connect to a remote desktop protocol (RDP) server, limiting real-world impact.
Regardless, if a business’ employee was convinced to join an attacker-controlled RDP server, they could exploit the flaw to execute code on the victim’s system.
The final ‘critical’ vulnerability for this month is the 8.8-rated CVE-2022-20226, a privilege escalation bug again affecting Windows CSRSS, like the aforementioned zero-day.
Exploitation is assessed as “less likely” again by Microsoft, but an authenticated attacker could send a specially crafted request to the CSRSS to elevate their privileges from AppContainer to the system, before executing code or accessing resources.
In summary, July’s Patch Tuesday has been described by some experts as “boring” given the low number of seriously threatening security vulnerabilities compared to months gone by.
For the full list of vulnerabilities and Microsoft’s assessments on each, visit the company’s dedicated security update guide.
