July (Auto) Patch Tuesday: One Zero-Day Flaw Fixed
Microsoft's monthly security patches for July are here and, despite the 86 flaws fixed, it might go smoother for some thanks to Windows Autopatch.
Microsoft's automated patching service became available on Monday, just in time for this month's security update, and will provide hands-off updating of Windows devices and Microsoft 365 Apps for organizations with Windows Enterprise E3 and E5 licenses.
For organizations without Windows Autopatch, this month's priority should be on the single zero-day flaw, CVE-2022-22047, which consists of an elevation-of-privilege vulnerability in all supported versions of Windows OS and Windows Server. Since Microsoft has already seen attacks being leveraged against this hole in the Windows Client Server Run-Time Subsystem, it is recommended this is deployed as soon as necessary testing is complete.
Outside of assigning it an "important" rating, Microsoft has not provided any additional details on the flaw or how it is currently being exploited in the wild.
4 July 'Critical' Fixes
Once the active zero-day is handled, IT should prioritize the four bulletins rated "critical" by Microsoft. The good news is that none of holes are being exploited, so patch only after your organizational due diligence is done.
All four of this month's most severe items involve remote code execution vulnerabilities. The first, CVE-2022-22038, takes place in the Remote Procedure Call Time and could become a headache for IT if ignored, according to security expert Dustin Childs.
"This bug could allow a remote, unauthenticated attacker to exploit code on an affected system," wrote Childs in his Zero Day Initiative security blog. "While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug."
Next up is CVE-2022-22029, which includes the third month in a row of a fix for Windows Network File System. According to Microsoft, this flaw could be a way for attackers to enter your network "by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE)."
That's not all. The Windows Network File System gets yet another critical fix this month with CVE-2022-2039, which can be exploited in the same fashion as the previous item.
Finally, the Windows Graphics Component is getting a fix (CVE-2022-30221) to address a problem that could lead to an attacker gaining unauthorized access to a system if a user was tricked into connecting to a malicious RDP server. All supported versions of Windows OS and Windows Server running RDP 8.0 or RDP 8.1 are at risk.
Microsoft Hardens Azure
Notable this month is that among the remaining 81 bulletins, 28 of them all focus on Microsoft Azure, specifically Azure Site Recovery (ASR). Microsoft addressed the unusually large number of Azure fixes in a separate security blog and said that the unusual roundup only affects "ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release."
This batch, which include remote code executions and elevation-of-privilege flaws, do not affect customer workloads -- only replication capabilities -- and the only way to exploit these is if an attacker compromises legitimate user credentials.
Microsoft said that all 28 issues can be resolved by upgrading to the latest version of ASR.