Microsoft has released its own Update for correction from Tuesday 2022 on Tuesdayaddressing a total of 75 security vulnerabilities, including three zero days.

In addition to these bugs, Microsoft fixed 36 security holes in its Chromium-based Edge browser on April 28.

Of all the flaws rectified this month, eight are classified as “critical” as they could allow a malicious actor to remotely execute code or gain privileges on a vulnerable machine. Sixty-six vulnerabilities were assessed as “Important”, while one was of “low” severity.

Products affected by this month’s security update include the Windows operating system and many of its components; Office and its components; .NET and Visual Studio platforms; Exchange Server; BitLocker; Remote Desktop Client; and NTFS.

The May security update includes fixes for 26 remote code execution (RCE) vulnerabilities, 21 privilege enhancement errors (EoP), 17 disclosure errors, six denial errors, four workarounds. security and a vulnerability to fraud.

Actively exploited

It is among the most serious of the patched bugs CVE-2022-26925, zero day with CVSS score of 8.1. This fraud error affects the Windows Local Security Authority (LSA), a secure subsystem that authenticates and registers users on the local system, according to Microsoft. It is actively exploited, which makes patches a priority.

Domain controllers need to be adjusted as a matter of priority, Greg Wiseman, level 7

The disadvantage is “Important” in seriousness and may allow a malicious actor to “call an LSARPC interface method and force the domain controller to authenticate with the attacker using NTLM”.

Although this vulnerability has been assigned a CVSS score of 8.1, Microsoft notes that the severity rating will increase to 9.8 if the shortcoming is combined with NTLM relay attacks.

“This is very bad news when used in conjunction with an NTLM relay attack, which potentially leads to remote code execution (RCE),” said Greg Wiseman, Rapid7’s lead product manager, adding that the bug “affects all supported versions of Rapid7.” Windows, but Domain Controllers must be prioritized before other servers can be updated.

Azure bugs

The other two publicly known vulnerabilities fixed by Microsoft are CVE-2022-29972 (CVSS score: 8.2) and CVE-2022-22713 (CVSS score: 5.6).

CVE-2022-29972 affects Azure Data Factory and Azure Synapse Pipelines. According to Microsoft, it was found in a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines and Azure Data Factory.

An attacker can use this error to execute remote commands during integration execution.

CVE-2022-22713 is a denial of service issue that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later).

Critical RCE vulnerability in Windows NFS

A critical RCE vulnerability removed this month is CVE-2022-26937, which is assigned a CVSS score of 9.8 and affects services using the Windows Network File System (NFS).

“This vulnerability can be exploited on the network by making an unauthorized, custom-made call to the Network File System (NFS) service to trigger remote code execution (RCE),” said Debra Feza Reid, a researcher on vulnerabilities and threats in Qualys, adding that it cannot be used in NFSV4.1. This threat can be temporarily mitigated by disabling NFSV2 and NFSV3 if immediate Windows is not possible.

Other RCE bugs fixed by Microsoft this month include flaws in Windows Graphics (CVE-2022-26927), Windows LDAP (CVE-2022-22012, CVE-2022-29130), Windows Kernel (CVE-2022-29133), Visual Studio Code (CVE-2022-30129) and remote call time (CVE-2022-22019).

https://www.computing.co.uk/news/4049520/microsoft-fixes-zero-days-critical-flaws-patch-tuesday-update

Previous articleTechnical redundancies, delays in hiring stand out in the hot labor market
Next articleBentley Bentayga EWB is longer and more luxurious