During its latest Patch Tuesday, Microsoft released a total of 74 new security patches for its software products. This figure includes a “significant” flaw (a Windows LSA Spoofing vulnerability), which is also actively exploited in the context of very current cyberattack campaigns.
The Redmond company – which deploys its patches every second Tuesday of each month during what is known as Patch Tuesday – has corrected this flaw as well as seven others classified as “critical”: five code execution bugs to distance and two elevation of privilege flaws.
The remaining list of 67 flaws is dominated by other bugs of these same two types, as well as a number of denials of service, information leaks, security feature bypasses, and spoofing issues. which have also been corrected. The products affected by the May security update are the Windows operating system and several of its components, the .NET platforms and Visual Studio, Office and its components, Exchange Server, BitLocker, Remote Desktop Client, NTFS and Microsoft edge.
Rifts galore
Some of the most severe vulnerabilities addressed in this update are:
- CVE-2022-26925: This month’s only vulnerability listed as being actively exploited. This “significant” flaw allows “to call a method on the LSARPC interface and to force the domain controller to authenticate with the attacker using NTLM.” Microsoft gave this flaw a CVSS severity score of 8.1, but noted that if combined with NTLM relay attacks, the severity would be increased to 9.8. This patch addresses the flaw by detecting and disallowing anonymous login attempts in LSARPC.
- CVE-2022-26923: This “critical” flaw exploits certificate issuance by inserting modified data into a certificate request. This allows the attacker to obtain a certificate capable of authenticating a domain controller with a high level of privilege. This essentially allows the individual with unauthorized authentication to become a domain administrator in any domain using Active Directory Certificate Services. This flaw has a CVSS score of 8.8.
The CVE-2022-26937 and CVE-2022-29972 flaws are also worth noting. The first is an RCE vulnerability in the Windows Network File System (NFS) that targets systems in mixed operating system environments; the second is a flaw in the Magnitude Simba Amazon Redshift ODBC driver large enough to merit its own blog post from Microsoft.
Last month, Microsoft fixed more than 100 vulnerabilities in its April security patches. These included two zero-day vulnerabilities, a known Windows User Profile Service bug leading to elevation of privilege, and another EoP flaw in the Windows Common Log File System driver. Windows, which was actively exploited at the time a security patch was released.
Source: ZDNet.com