Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Microsoft released its monthly round of Patch Tuesday updates to
address 84 new security flaws^[1]
spanning multiple product categories, counting a zero-day
vulnerability that’s under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are
rated Important in severity. Also separately resolved by the tech
giant are two other bugs^[2]
in the Chromium-based Edge browser, one of which plugs another
zero-day flaw^[3]
that Google disclosed as being actively exploited in real-world
attacks.

Top of the list of this month’s updates is CVE-2022-22047^[4]
(CVSS score: 7.8), a case of privilege escalation in the Windows
Client Server Runtime Subsystem (CSRSS^[5]) that could be abused by
an attacker to gain SYSTEM permissions.

“With this level of access, the attackers are able to disable
local services such as Endpoint Detection and Security tools,” Kev
Breen, director of cyber threat research at Immersive Labs, told
The Hacker News. “With SYSTEM access they can also deploy tools
like Mimikatz which can be used to recover even more admin and
domain level accounts, spreading the threat quickly.”

Very little is known about the nature and scale of the attacks
other than an “Exploitation Detected” assessment from Microsoft.
The company’s Threat Intelligence Center (MSTIC) and Security
Response Center (MSRC) have been credited with reporting the
flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws
have been fixed in the same component — CVE-2022-22026^[6]
(CVSS score: 8.8) and CVE-2022-22049^[7]
(CVSS score: 7.8) — that were reported by Google Project Zero
researcher Sergei Glazunov.

“A locally authenticated attacker could send specially crafted
data to the local CSRSS service to elevate their privileges from
AppContainer^[8]
to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.

“Because the AppContainer environment is considered a defensible
security boundary, any process that is able to bypass the boundary
is considered a change in Scope. The attacker could then execute
code or access resources at a higher integrity level than that of
the AppContainer execution environment.”

Also remediated by Microsoft include a number of remote code
execution bugs in Windows Network File System (CVE-2022-22029^[9]
and CVE-2022-22039^[10]), Windows Graphics
(CVE-2022-30221^[11]), Remote Procedure Call
Runtime (CVE-2022-22038^[12]), and Windows Shell
(CVE-2022-30222^[13]).

The update further stands out for patching as many as 32 issues
in the Azure Site Recovery disaster recovery
service^[14]. Two of these flaws are
related to remote code execution and the remaining 30 concern
privilege escalation.

“Successful exploitation […] requires an attacker to
compromise admin credentials to one of the VMs associated with the
configuration server,” the company said, adding the flaws do not
“allow disclosure of any confidential information, but could allow
an attacker to modify data that could result in the service being
unavailable.”

On top of that, Microsoft’s July update also contains fixes for
four privilege escalation vulnerabilities in the Windows Print
Spooler module (CVE-2022-22022^[15], CVE-2022-22041^[16], CVE-2022-30206^[17], and CVE-2022-30226^[18]) after a brief respite in June 2022^[19], underscoring what
appears to be a never-ending stream of flaws plaguing the
technology.

Rounding off the Patch Tuesday updates are two notable fixes for
tampering vulnerabilities in the Windows Server Service (CVE-2022-30216^[20]) and Microsoft Defender
for Endpoint (CVE-2022-33637^[21]) and three
denial-of-service (DoS) flaws in Internet Information Services
(CVE-2022-22025^[22] and CVE-2022-22040^[23]) and Security Account
Manager (CVE-2022-30208^[24]).

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been
released by other vendors since the start of the month to rectify
several vulnerabilities, including —