Microsoft Patch Tuesday April 2022

Microsoft addresses 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the NSA. 9 patches were rated as critical, and 108 patches were rated as important.

This month’s update includes patches for:

• .NET Framework
• Active Directory Domain Services
• Azure SDK
• Azure Site Recovery
• LDAP – Lightweight Directory Access Protocol
• Microsoft Bluetooth Driver
• Microsoft Dynamics
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Local Security Authority Server (lsasrv)
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Windows ALPC
• Microsoft Windows Codecs Library
• Microsoft Windows Media Foundation
• Power BI
• Role: DNS Server
• Role: Windows Hyper-V
• Skype for Business
• Visual Studio
• Visual Studio Code
• Windows Ancillary Function Driver for WinSock
• Windows App Store
• Windows AppX Package Manager
• Windows Cluster Client Failover
• Windows Cluster Shared Volume (CSV)
• Windows Common Log File System Driver
• Windows Defender
• Windows DWM Core Library
• Windows Endpoint Configuration Manager
• Windows Fax Compose Form
• Windows Feedback Hub
• Windows File Explorer
• Windows File Server
• Windows Installer
• Windows iSCSI Target Service
• Windows Kerberos
• Windows Kernel
• Windows Local Security Authority Subsystem Service
• Windows Media
• Windows Network File System
• Windows PowerShell
• Windows Print Spooler Components
• Windows RDP
• Windows Remote Procedure Call Runtime
• Windows schannel
• Windows SMB
• Windows Telephony Server
• Windows Upgrade Assistant
• Windows User Profile Service
• Windows Win32K
• Windows Work Folder Service
• YARP reverse proxy

Windows Common Log File System Driver EoP Vulnerabilities

CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP flaws like this one are leveraged post-authentication after an attacker has successfully accessed a vulnerable system, to gain higher permissions. According to Microsoft, this flaw has been exploited in the wild as a zero-day, though we do not have any additional details about its exploitation. CVE-2022-24481 is another EoP in the CLFS driver that received the same CVSSv3 score of 7.8 and Exploitation is More Likely. However, it is not a zero-day.

Windows User Profile Service EoP Vulnerability

CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service with a risk score of 7.0, which rates its severity as important. The attack complexity for this flaw is considered high because it requires an attacker to win a race condition and the level of exploitation is More Likely. This is the second of two zero-days addressed this month, as details about this vulnerability were publicly disclosed prior to a patch being made available.

Windows Network File System RCE Vulnerability

CVE-2022-24491 is a critical RCE vulnerability in the Windows Network File System (NFS) that received a risk score of 9.8 and a rating of More Likely. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are at risk for exploitation; however, organizations should still apply the patch to all systems to ensure they are protected.

Remote Procedure Call Runtime RCE Vulnerability

CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. It received a risk score of 9.8. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted RPC call to an RPC host. Patching is the best approach to fully address this vulnerability; however, if patching is not feasible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to mitigate attempts to exploit this flaw.

Windows DNS Server RCE Vulnerabilities

CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services that both received a risk score of 6.6 and exploitation is Less Likely which may be tied to the higher attack complexity and required permissions. To successfully exploit this flaw, an attacker on the target network with permissions to query the domain name service must win a race condition. Only if they perfectly time exploitation of this vulnerability, can they achieve RCE. Patches have been released for supported versions for Windows Server and Windows Server Core installations.

15 EoP Vulnerabilities in Windows Print Spooler

Microsoft patched 15 EoP vulnerabilities in Print Spooler components all of which received a 7.8 risk score. Microsoft rates these vulnerabilities as Exploitation Less Likely, attackers have exploited EoP flaws in Print Spooler in the past.

• CVE-2022-26803
• CVE-2022-26786
• CVE-2022-26787
• CVE-2022-26789
• CVE-2022-26790
• CVE-2022-26791
• CVE-2022-26802
• CVE-2022-26792
• CVE-2022-26797
• CVE-2022-26795
• CVE-2022-26796
• CVE-2022-26798
• CVE-2022-26801
• CVE-2022-26793
• CVE-2022-26794

In the coming weeks, versions of the.NET Framework and Windows 10 will stop receiving updates and support. On April 26, .NET Framework 4.5.2, 4.6, or 4.6.1 will reach the end of support due to their use of the less secure (SHA-1). On May 10, Windows 10 version 20H2 will reach the end of service. Users are urged to update to more recent versions to ensure they continue receiving important security updates.

Microsoft is planning a change that could mean an end to Patch Tuesday. Windows Autopatch, as mentioned by Microsoft the automatic Windows and Office software update service will be rolled out to enterprise clients to make sure they have access to security fixes more quickly, rather than waiting for one monthly update, except for emergency out-of-schedule releases. We could see the development in Q3 2022.

Chromium Edge Browser Updates