The Hacker NewsTHN:2A188AB3A1960F89715831B15A68311EMicrosoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Microsoftβs Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.
10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release.
The updates are in addition to 26 other flaws resolved by Microsoft in its Chromium-based Edge browser since the start of the month.
The actively exploited flaw (CVE-2022-24521, CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine.
The second publicly-known zero-day flaw (CVE-2022-26904, CVSS score: 7.0) also concerns a case of privilege escalation in the Windows User Profile Service, successful exploitation of which βrequires an attacker to win a race condition.β
Other critical flaws to note include a number of remote code execution flaws in RPC Runtime Library (CVE-2022-26809, CVSS score: 9.8), Windows Network File System (CVE-2022-24491 and CVE-2022-24497, CVSS scores: 9.8), Windows Server Service (CVE-2022-24541), Windows SMB (CVE-2022-24500), and Microsoft Dynamics 365 (CVE-2022-23259).
Microsoft also patched as many as 18 flaws in Windows DNS Server, one information disclosure flaw and 17 remote code execution flaws, all of which were reported by security researcher Yuki Chen. Also remediated are 15 privilege escalation flaws in the Windows Print Spooler component.
The patches arrive a week after the tech giant announced plans to make available a feature called AutoPatch in July 2022 that allows enterprises to expedite applying security fixes in a timely fashion while emphasizing on scalability and stability.
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting β
- Adobe
- Android
- Apache Struts 2
- Cisco Systems
- Citrix
- Dell
- Google Chrome
- HP Teradici PCoIP Client
- Juniper Networks
- Linux distributions Oracle Linux, Red Hat, and SUSE
- Mozilla Firefox, Firefox ESR, and Thunderbird
- SAP
- Schneider Electric
- Siemens, and
- VMware
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C