Microsoft releases impressive July 2022 Security Patch
Microsoft released a new round of updates (KB5015807) to address 84 new security flaws spanning many product categories, including a zero-day vulnerability that’s under active attack in the wild.
Out of 84 security flaws 4 are rated Critical, and 80 are rated Important in severity. Another two other bugs are in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks, yikes!
One update is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.
Two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8)!
“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.
“Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”
Completing the Patch Tuesday updates are two notable fixes for tampering with vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).
Software Patches from Other Vendors
Plus security updates have also been released by the below list of vendors in July to rectify several vulnerabilities.
Adobe, AMD, Cisco, Citrix, Dell, Fortinet, Google Chrome, HP, Intel, Lenovo and VMware. Make sure your device gets the updates today!