Huge Patch Tuesday Update Fixes Over 100 Windows Security Flaws Including Two Zero Day Threats
We're roughly half way into April and you know what that means—it's time to patch Windows with this month's Patch Tuesday update (KB5012599 for Windows 10 and KB5012592 for Windows 11), which is doled out on the second Tuesday of every month. This particular one happens to be cram-packed with fixes for over 100 security flaws, two of which are zero-day vulnerabilities.
One of the zero-day threats is tracked as CVE-2022-26904. It's an escalation of privilege vulnerability with a CVSS severity score of 7.0 and a "high" attack complexity designation. Microsoft notes that "successful exploitation of this vulnerability requires an attacker to win a race condition." Some of the details have not yet been published.
The other zero-day is CVE-2022-24521, which is also an escalation of privilege vulnerability that was previously reported by researchers at the NSA and CrowdStrike. It has a higher CVSS score of 7.8 and a "low" attack complexity rating. The vulnerability resides in the Windows Common Log File System Driver and could allow an attacker to gain administration privileges on a compromised system. Furthermore, Microsoft says it is aware of this one being actively exploited in the wild.
That's reason alone to not putting off applying this month's Patch Tuesday update. There are plenty more reasons, though—over 100 more, in fact. One of the more worrisome of the bunch is CVE-2022-26809, a wormable flaw with a 9.8 CVSS rating.
"To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," Microsoft explains.
There are other potentially wormable threats that are also addressed by the latest Patch Tuesday update, including a couple of Windows Network File System (NFS) vulnerabilities that carry 9.8 CVSS scores as well.
"These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data," Kevin Breen, director of cyber threat research at Immersive Labs, told KrebsOnSecurity. "It is also important for security teams to note that NFS Role is not a default configuration for Windows devices."