Officials have Zero Day for Windows and a public reveal at the top of their priority list for the April patch Tuesday.
This month Microsoft released fixes for 117 unique new vulnerabilities with nine critical ratings. There were no fixes for Exchange Server.
High on the priority list this month for administrators is Windows Zero-day, a generic log file driver privilege elevation vulnerability (CVE-2022-24521) that has been classified as critical affecting all supported Windows desktop and server systems.
The CVSS severity score is 7.8. For a successful exploit, no user intervention is required, and while authentication is required, an attacker can use the low privileges of a typical end user to gain a foothold in the network.
“If there is a vulnerability related to the rise of privileges, it will be used for a series of vulnerabilities working together,” said Chris Goettel, vice president of product management at Ivanti, an IT asset and endpoint management company. “The attacker will use this in combination with two or three other things. And it can be used to great effect in doing so.”
Microsoft acknowledged the National Security Agency and cybersecurity firm Crowdstrike for discovering the flaw.
The publicly disclosed vulnerability is a privilege elevation bug in the Windows User Profile Service (CVE-2022-26904) that has been rated as critical for all Windows desktop and server systems. Microsoft notes that the level of complexity of the attack is high; The threat actor must win the race condition to perform a successful exploit. There is a functional exploit code for this vulnerability, which makes it even more important to deploy the security update as quickly as possible.
“Going from a functional code sample to an armed exploit is probably the least difficult part of the process for threatening actors,” Goettel said. “It can take a long time, but they usually have the infrastructure to plug in and take advantage of a new vulnerability.”
Of the nine critical April Patch Tuesday vulnerabilities, eight are in the Windows operating system, which makes resolving them fast for most administrators due to the cumulative update model.
“The only good news is the OS update,” Goettel said. “Prioritizing that would take a lot of risk off the table right away.”
Other security updates in April Patch Tuesday of note
Two hot spots for administrators this month are the Windows print spooler and the Windows Domain Name Server, with a total of 15 and 18 CVEs to address respectively.
“Everyone should anticipate that they may encounter some printer issues after a patch, so make sure and thoroughly test any important print experiences and applications you have,” Goettel said.
Outside of operating system fixes, another critical vulnerability is the Microsoft Dynamics 365 Remote Code Execution bug (CVE-2022-23259) for on-premises version 9.0 and 9.1. To exploit the bug, the attacker would need to run a trusted resolver file that was specifically set up to run certain SQL commands, then escalate the commands and run them as the database owner.
The remote procedure call (RPC) remote code execution (CVE-2022-26809) vulnerability has been rated critical for supported Windows desktop and server systems. This flaw reaches a high level of potential risk with a CVSS severity score of 9.8 out of 10. The attacker does not need permission, only network access, to run code with high privileges after a successful exploit.
“To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to the RPC host. This could lead to remote code execution on the server side with the same permissions as the RPC service,” Microsoft wrote in its CVE notes.
Microsoft unveils upcoming patch automation service
Microsoft released a blog on April 5 to alert those responsible for the new automatic update service called Windows Autopatch. The company said that this free feature fixes Windows 10/11 desktops and Office apps. The service is expected to launch in July, and is open to organizations with a Windows Enterprise E3 subscription and above. Azure Active Directory and Microsoft Intune are also required.
“I think the young companies in the SME group will definitely find this a huge step forward, because they have already embraced these basic terms,” Goettel said.
Windows Autopatch does not update Windows Server systems, and Microsoft currently has no plans to include the server operating system. Windows Autopatch will handle Office patches, quality and feature updates for firmware, drivers, and third-party content currently in the Windows Update Catalog.
Windows Autopatch uses a testing framework that consists of four loops: Test, First, Rapid and Broad. The service automates placing Windows 10/11 devices into these test suites.
The ‘test loop’ contains a minimum number of analog devices. The ‘first’ loop is slightly larger, and contains about 1% of all managed devices. The ‘fast’ loop contains about 9% of the endpoints, with the remainder assigned to the ring. Broad,” the company wrote.
Windows Autopatch deploys updates to the test loop first, and after the evaluation and approval process, it patches the systems in the next loop and so on. A company official said Windows Autopatch should complete a deployment cycle in 21 days. Administrators will have the option to pause or roll back updates if problems occur.
Windows Autopatch builds on an existing debugging technology called Windows Update for Business, but Microsoft handles the creation of test loops and other coordination rather than the organization’s IT staff.
Organizations warned to be wary of SpringShell
Microsoft published an update Monday on its security blog to alert customers that the Azure Web Application Firewall service has “bolstered protection” for a SpringShell vulnerability affecting the Spring Framework. SpringShell is also known as Spring4Shell.
Microsoft said that organizations using Azure Web Application Firewall with the Azure Application Gateway/Reverse Proxy load balancer have new rules to defend against three SpringShell vulnerabilities (CVE-2022-22947, CVE-2022-22963, CVE-2022-22965) and SpringShell connection attempts. .
Among its recommendations, Microsoft’s blog directed customers to use the Microsoft Defender for Endpoint product to scan for vulnerable systems and offer Azure Firewall Premium that automatically updates with rule sets to mitigate SpringShell exploits.
Systems affected by SpringShell will run the following:
- Java Development Kit 9.0 or later;
- Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and earlier versions; And
- Apache Tomcat as a servlet container.
“There are a number of SpringShell updates from different vendors, such as VMware, that have updated a number of products. Apache Tomcat has been updated to resolve the known vulnerability,” Goettel said. “Organizations just need to be aware that these updates keep coming up and they need to make sure they take care of them quickly.”