Microsoft Delivers Massive April Patch Tuesday
It's Patch Tuesday yet again. And Microsoft is making it a memorable one with 128 vulnerability fixes -- the most seen since October 2020.
The good news is that despite the large number for April, only two items address zero-day flaws. IT should prioritize these first, as one of the two is currently being exploited in the wild.
CVE-2022-24521 is the active exploited flaw and deals with the Windows Common Log File System Driver. Affecting all supported versions of Windows OS and Windows Server, this flaw can lead to an elevation of privilege attack if left unaddressed. The flaw was discovered and disclosed to Microsoft by the National Security Agency and security experts at Cloudflare.
The second zero-day fix, CVE-2022-26904, is not currently being exploited, but it's just a matter of time. The flaw, affecting the Windows User Profile Service, is publicly known and can lead to an elevation of privilege attack if left unpatched. Fortunately, Microsoft rates this flaw as "low" when it comes to real-world risk, due to its limited scope. To be successful, attackers would already need a level of privilege on a targeted machine and would need to couple this hole with additional malicious code to take advantage of it.
Despite not being actively exploited or publicly disclosed, IT should prioritize CVE-2022-26809 as soon as possible. It deals with an issue with the RPC Runtime Library that could lead to a remote code execution attack. According to security expert Dustin Childs of Trend Micro in his Zero Day Initiative patch analysis, the lack of user interaction needed to pull off a successful attack makes this one especially alarming:
Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. However, the static port used here (TCP port 135) is typically blocked at the network perimeter. Still, this bug could be used for lateral movement by an attacker.
When looking what to tackle next, CVE-2022-24491 and CVE-2022-26815 should be deployed as soon as possible. Both address remote code execution flaws, with the former in the Windows Network File System and the latter in the Windows DNS Server.
April's patch also comes packed with the additional nine bulletins, rated "critical":
- CVE-2022-23259: Microsoft Dynamics 365 (on-premises) Remote Code Execution vulnerability.
- CVE-2022-26809: RPC Runtime Library remote code execution vulnerability.
- CVE-2022-22008: Windows Hyper-V remote code execution vulnerability.
- CVE-2022-23257: Windows Hyper-V remote code execution vulnerability.
- CVE-2022-24537: Windows Hyper-V remote code execution vulnerability.
- CVE-2022-26919: Windows LDAP remote code execution vulnerability.
- CVE-2022-24497: Windows Network File System remote code execution vulnerability.
- CVE-2022-24541: Windows Server Service remote code execution vulnerability.
- CVE-2022-24500: Windows SMB remote code execution vulnerability.
Greg Wiseman, product manager at security firm Rapid7, has some additional advice for this month's patch. "With so many vulnerabilities to manage, it can be difficult to prioritize," said Wiseman in an e-mailed comment. "Thankfully, most of this month's CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems."
The full list of all 128 bulletins can be found here.
Windows Autopatch Coming Soon
April's patch comes just one week after Microsoft announced that its new IT-focused Windows Autopatch -- which lets Microsoft take control of an organization's patching through automation -- will be generally available in July.
While this looks to lessen the burden on IT when patching the Windows OS (and some third-party drivers), the feature will not be coming to Microsoft's server products. The company also has not commented on how this feature will affect its future monthly patch releases.