Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Microsoft has issued an urgent Patch Tuesday bulletin to warn of in-the-wild zero-day exploitation of a privilege escalation flaw in the Windows operating system.

Microsoft has issued an urgent Patch Tuesday bulletin to warn of in-the-wild zero-day exploitation of a privilege escalation flaw in the Windows operating system.

The critical vulnerability, flagged as CVE-2022-22047, exists in the Client/Server Runtime Subsystem (csrss.exe) and carries a CVSS severity rating of 7.8.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Redmond’s security response team said in an advisory.

The software giant did not provide any additional details of the live attacks outside of a notification that the issue has not been publicly disclosed.  The company did not provide IOCs (indicators of compromise) to help defenders hunt for signs of compromise.

Microsoft credited its own MSTIC (Microsoft Threat Intelligence Center) and MSRC (Microsoft Security Response Center) units with the discovery of the zero-day exploitation.

[ READ: Adobe Patch Tuesday: Critical Flaws in Acrobat, Reader, Photoshop ]

The Windows CSRSS privilege escalation flaw headlines a very busy Patch Tuesday that includes fixes for at least 84 documented vulnerabilities across the Windows ecosystem.

Advertisement. Scroll to continue reading.

According to the Zero Day Initiative (ZDI), the July Patch Tuesday rollout did not include any fixes for the recent Pwn2Own competition where hackers exploited unpatched flaws in Windows 11 and Microsoft Teams.  At that event, Pwn2Own participants demonstrated six Windows 11 privilege escalation flaws and three Microsoft Teams exploit chains.

The 84 documented vulnerabilities (counting by CVE) affect a range of OS components, including Microsoft Office, BitLocker, Microsoft Defender, Windows Azure and Windows Windows Hyper-V.

According to Microsoft’s documentation, 4 of the 84 vulnerabilities carry the highest “critical” severity rating.  The remaining bugs are rated “important” in severity.

[ READ: ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ]

Redmond’s patches come just hours after software maker Adobe patched 22 documented vulnerabilities in a range of desktop products, some serious enough to cause arbitrary code execution attacks.

The patches, available for Adobe Acrobat and Reader for Windows and macOS, affect Adobe Acrobat/Reader, Adobe Photoshop, Adobe RoboHelp and Adobe Character Animator.

According to an advisory from Adobe, the Acrobat/Reader update address  multiple critical vulnerabilities that could expose computer users to arbitrary code execution and memory leak attacks.

Adobe said it was not aware of in-the-wild exploits prior to the availability of patches. 

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities

Related: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows

Related: Adobe Patch Tuesday: Critical Flaws in Acrobat, Reader, Photoshop

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...