Security Experts:

Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Microsoft has issued an urgent Patch Tuesday bulletin to warn of in-the-wild zero-day exploitation of a privilege escalation flaw in the Windows operating system.

The critical vulnerability, flagged as CVE-2022-22047, exists in the Client/Server Runtime Subsystem (csrss.exe) and carries a CVSS severity rating of 7.8.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Redmond’s security response team said in an advisory.

The software giant did not provide any additional details of the live attacks outside of a notification that the issue has not been publicly disclosed.  The company did not provide IOCs (indicators of compromise) to help defenders hunt for signs of compromise.

Microsoft credited its own MSTIC (Microsoft Threat Intelligence Center) and MSRC (Microsoft Security Response Center) units with the discovery of the zero-day exploitation.

[ READ: Adobe Patch Tuesday: Critical Flaws in Acrobat, Reader, Photoshop ]

The Windows CSRSS privilege escalation flaw headlines a very busy Patch Tuesday that includes fixes for at least 84 documented vulnerabilities across the Windows ecosystem.

According to the Zero Day Initiative (ZDI), the July Patch Tuesday rollout did not include any fixes for the recent Pwn2Own competition where hackers exploited unpatched flaws in Windows 11 and Microsoft Teams.  At that event, Pwn2Own participants demonstrated six Windows 11 privilege escalation flaws and three Microsoft Teams exploit chains.

The 84 documented vulnerabilities (counting by CVE) affect a range of OS components, including Microsoft Office, BitLocker, Microsoft Defender, Windows Azure and Windows Windows Hyper-V.

According to Microsoft’s documentation, 4 of the 84 vulnerabilities carry the highest “critical” severity rating.  The remaining bugs are rated “important” in severity.

[ READ: ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ]

Redmond's patches come just hours after software maker Adobe patched 22 documented vulnerabilities in a range of desktop products, some serious enough to cause arbitrary code execution attacks.

The patches, available for Adobe Acrobat and Reader for Windows and macOS, affect Adobe Acrobat/Reader, Adobe Photoshop, Adobe RoboHelp and Adobe Character Animator.

According to an advisory from Adobe, the Acrobat/Reader update address  multiple critical vulnerabilities that could expose computer users to arbitrary code execution and memory leak attacks.

Adobe said it was not aware of in-the-wild exploits prior to the availability of patches. 

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities

Related: Patch Tuesday: Microsoft Calls Attention to 'Wormable' Windows

Related: Adobe Patch Tuesday: Critical Flaws in Acrobat, Reader, Photoshop

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.