Microsoft has released over 100 security fixes for software that resolve critical issues including two zero-days.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including numerous remote code execution (RCE) bugs, elevation of privilege (EoP) issues, denial-of-service, information leaks, and spoofing. In total, 10 vulnerabilities are classed as critical.
Products impacted by April’s security update include the Windows OS, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.
The zero-day vulnerabilities resolved in this update are:
- CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service and is described as an EoP vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered ‘high’, as “successful exploitation of this vulnerability requires an attacker to win a race condition,” according to Microsoft.
- CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now.
Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also of note. These vulnerabilities, impacting Remote Procedure Call Runtime and the Windows Network File System, have earned CVSS scores of 9.8 and can be exploited to trigger RCE.
According to the Zero Day Initiative (ZDI), the patch volume level is similar to Q1 2021.
Last month, Microsoft resolved 71 vulnerabilities in the March batch of security fixes. Among the bugs dealt with are CVE-2022-22006 and CVE-2022-24501, which are the only two critical bugs that were patched. In February, Microsoft patched 48 vulnerabilities, including one zero-day security flaw.
In other Microsoft news, the tech giant is planning a change that could mean an end to Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise clients to make sure they have access to security fixes more quickly, rather than waiting for one monthly update — with the exception of emergency out-of-schedule releases.
Windows Autopatch is set for release in July 2022.
Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.