Microsoft Tuesday released updates to fix about 120 security vulnerabilities in its Windows operating systems and other software. Two of the bugs have been publicly described before this week, and one is already seeing active exploitation, according to a report from US National Security Agency (NSA).
Of particular concern this month is CVE-2022-24521, which is a “privilege escalation” vulnerability in the Windows shared log file system driver. In its advice, Microsoft said it received a report from the NSA stating that the bug is under active attack.
“It is not stated how widespread the exploitation is being used in the wild, but it is probably still targeted at this time and not widely available,” assessed Dustin Childs with the Trend Micros Zero Day Initiative. “Go patch your systems before that situation changes.”
Nine of the updates released this week address issues that Microsoft considers “critical”, meaning that the bugs they fix could be exploited by malware or dissatisfaction to seize total remote access to a Windows system without the help of the user.
Among the most frighteningly critical bugs are CVE-2022-26809, a potentially “wormy” vulnerability in a core Windows component (RPC), which received a CVSS score of 9.8 (10 is the worst). Microsoft said it believes that exploitation of this error is more likely than not.
Other potentially wormy threats this month include CVE-2022-24491 and CVE-2022-24497, Windows Network file system (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as “exploitation more likely by Microsoft.”
“This could be the kind of vulnerabilities that appeal to ransomware operators, as they allow for the disclosure of critical data,” he said. Kevin BreenDirector of Cyber Threat Research at Immersive Labs. “It is also important for security teams to note that the NFS role is not a default configuration for Windows devices.”
When we talk about worm bugs, CVE-2022-24500 is a critical bug in Windows Server Message Block (SMB).
“This is especially poignant as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to spread at a rapid pace,” Breen added. “Microsoft recommends blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this will not stop the exploitation of attackers within the local area network, it will prevent new attacks originating from the Internet.”
In addition, this month’s patch batch from Redmond brings updates Exchange Server, Office, SharePoint Server, Windows Hyper-V, DNS server, Skype for Business, .NET and Visual Studio, Windows App Storeand Windows Print Spooler components.
As it usually does on the second Tuesday of each month, Adobe released four patches addressing 70 vulnerabilities in Acrobat and Reader, Photoshop, After Effectsand Adobe Commerce. More information about these updates is available here.
For a complete list of all patches released by Microsoft today and indexed by difficulty and other metrics, see the always-useful Patch Tuesday Summary from SANS Internet Storm Center. And it’s not a bad idea to delay the update for a few days until Microsoft finds out about any cracks in the updates: AskWoody.com usually has a low point on all patches that can cause issues for Windows users.
As always, you should consider backing up your system or at least your important documents and data before applying system updates. And if you encounter problems with these patches, please write a note about it here in the comments.