Microsoft has released patches to fix 128 vulnerabilities across its product range on April 2022 Patch Tuesday, including 10 flaws rated critical, and two zero-day bugs, one of which is being actively exploited in the wild. Three of the critical flaws are wormable and can be exploited remotely with no user action to achieve code execution. The two zero-day bugs have been rated important, even though one is being actively exploited in the wild.
The actively exploited zero-day is tracked as CVE-2022-24521 and has a CVSS severity score of 7.8 out of 10 and is an elevation of privilege bug in the Windows Common Log File system driver. The second zero-day bug has a CVSS severity score of 7.0 out of 10 and is a Windows User Profile Service elevation of privilege vulnerability tracked as CVE-2022-26904. While this bug is listed as exploitation more likely, the process of exploitation is complex and would require a threat actor to win a race condition to exploit.
The critical flaws that allow remote code execution should be prioritized and are:
- CVE-2022-26919 – LDAP – Lightweight Directory Access Protocol
- CVE-2022-23259 – Microsoft Dynamics
- CVE-2022-22008, CVE-2022-24537, and CVE-2022-23257 – Windows Hyper-V
- CVE-2022-24491 & CVE-2022-24497 – Windows Network File System
- CVE-2022-26809 – Windows Remote Procedure Call Runtime
- CVE-2022-24541 & CVE-2022-24500 – Windows SMB
CVE-2022-26809 is one of the most serious vulnerabilities and can be exploited remotely with no user interaction. The bug has been given a CVSS severity score of 9.8 out of 10, and is found in Windows Server Message Block (SMB) and allows an attacker to execute code with high privileges. The flaw would allow self-propagating exploits on machines where RPC can be reached.
The two Windows Network File System bugs – CVE-2022-24491 & CVE-2022-24497 – have also been assigned a CVSS severity score of 9.8 out of 10 and could also potentially support worming exploits on systems where the NFS role is enabled.
Adobe Released 78 Fixes on April 2022 Patch Tuesday
Adobe has been busy this Patch Tuesday, having released 78 patches to fix vulnerabilities in Adobe Commerce, Adobe Photoshop, Adobe After Effects, and Adobe Acrobat and Reader.
The most serious vulnerability, which has been given a priority of 1, is a critical arbitrary code execution vulnerability in Adobe Commerce that has a CVSS score of 9.1 out of 10. 62 patches have been released to fix vulnerabilities in Adobe Acrobat and Adobe Reader, 35 of which are arbitrary code execution flaws with a CVSS score of 7.8 out of 10. 24 have been rated important with CVSS scores between 5.5 and 6.7, and three are rated moderate with CVSS scores of 3.3. The bugs have been given a patching priority of 2.
13 critical arbitrary code execution vulnerabilities have been fixed in Adobe Photoshop 2021 and 2022, all of which have been given a CVSS severity score of 7.8 out of 10, and two critical arbitrary code execution flaws have been fixed in Adobe After Effects which also have a CVSS severity score of 7.8. These flaws have been given a priority score of 3, as while the bugs are critical flaws, they affect products that are not usually targeted.