Microsoft has released more than 100 security patches for software that address critical issues, including two zero-days.
In its latest Patch Tuesday, a patch cycle typically released on the second Tuesday of every month, Microsoft has addressed numerous vulnerabilities that can lead to remote code execution (RCE), elevation of privilege (EoP), denials of service, information leaks and identity theft. A total of 10 vulnerabilities are classified as critical.
The products affected by the April security update are Windows operating system, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.
Two zero-day flaws fixed
The zero-day vulnerabilities fixed in this update are as follows:
- CVE-2022-26904: this “zero-day” flaw impacts the Windows user profile service and can lead to the elevation of privileges. Its CVSS severity score is 7.0 but its attack complexity is described as “high” because “a successful attack depends on conditions beyond the attacker’s control,” Microsoft explains.
- CVE-2022-24521: This vulnerability could also lead to elevation of privilege, but this time is in the Windows common log file system driver. With a CVSS score of 7.8, Microsoft says the complexity of the attack is low and the flaw is being actively exploited, although it has not been made public so far.
Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also worth noting. These vulnerabilities, which impact the Remote Procedure Call Runtime and Windows Network File System, have a CVSS score of 9.8 and can be exploited to trigger remote code execution.
Waiting for Windows Autopatch
According to the Zero Day Initiative (ZDI), the patch volume level is similar to Q1 2021.
Last month, Microsoft patched 71 security flaws in its March Patch Tuesday, which included fixes for critical flaws CVE-2022-22006 and CVE-2022-24501. In February, Microsoft patched 48 vulnerabilities, including one zero-day.
As a reminder, Micorosft recently announced an upcoming change that could spell the end of Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise customers to give them faster access to security patches, rather than waiting for a monthly update – except unscheduled emergency publications. Windows Autopatch is scheduled for release in July 2022.
Source: ZDNet.com