Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities^[1], including one for a
zero-day bug that’s being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated
Important, and one is rated low in severity. Two of the flaws are
listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of
privilege, 17 information disclosure, and six denial-of-service
vulnerabilities, among others. The updates are in addition to
36 flaws^[2]
patched in the Chromium-based Microsoft Edge browser on April 28,
2022.

Chief among the resolved bugs is CVE-2022-26925^[3]
(CVSS score: 8.1), a spoofing vulnerability affecting the Windows
Local Security Authority (LSA^[4]), which Microsoft
describes as a “protected subsystem that authenticates and logs
users onto the local system.”

“An unauthenticated attacker could call a method on the LSARPC
interface and coerce the domain controller to authenticate to the
attacker using NTLM^[5],” the company said.
“This security update detects anonymous connection attempts in
LSARPC and disallows it.”

It’s also worth noting that the CVSS severity rating of the flaw
would be elevated to 9.8 should it be combined with NTLM relay
attacks like PetitPotam^[6], making it a critical
issue.

“Being actively exploited in the wild, this exploit allows an
attacker to authenticate as approved users as part of an NTLM relay
attack – letting threat actors gain access to the hashes of
authentication protocols,” Kev Breen, director of cyber threat
research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows
–

• CVE-2022-29972^[7]
  (CVSS score: 8.2) – Insight Software: CVE-2022-29972 Magnitude
  Simba Amazon Redshift ODBC Driver (aka SynLapse^[8])
• CVE-2022-22713^[9]
  (CVSS score: 5.6) – Windows Hyper-V Denial-of-Service
  Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged
it as “Exploitation More Likely” on the Exploitability Index,
making it imperative affected users apply the updates as soon as
possible.

Also patched by Redmond are several RCE bugs in Windows Network
File System (CVE-2022-26937^[10]), Windows LDAP
(CVE-2022-22012^[11], CVE-2022-29130^[12]), Windows Graphics
(CVE-2022-26927^[13]), Windows Kernel
(CVE-2022-29133^[14]), Remote Procedure Call
Runtime (CVE-2022-22019^[15]), and Visual Studio
Code (CVE-2022-30129^[16]).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been
credited with reporting 30 of the 74 flaws^[17], counting
CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What’s more, CVE-2022-22019 followed an incomplete patch for
three RCE issues^[18] in the Remote Procedure
Call (RPC) runtime library last month — CVE-2022-26809,
CVE-2022-24492, and CVE-2022-24528 — that were addressed by
Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated
attacker to execute code on the vulnerable machine with the
privileges of the RPC service, Akamai said^[19].

The Patch Tuesday update is also notable for resolving two
privilege escalation (CVE-2022-29104^[20] and CVE-2022-29132^[21]) and two information
disclosure (CVE-2022-29114^[22] and CVE-2022-29140^[23]) vulnerabilities in the
Print Spooler component, which has long posed an attractive target
for attackers.

Software Patches from Other Vendors

Besides Microsoft, security updates have also been released by
other vendors since the start of the month to rectify several
vulnerabilities, including —