Microsoft May 2022 Patch Tuesday fixes 7 critical vulnerabilities, 67 others

This month's security fixes include one "important" flaw confirmed to be in active use as part of ongoing exploits.

Microsoft has released a total of 74 new security fixes for its software products. This includes one "important" flaw (a Windows LSA Spoofing Vulnerability) that was being actively exploited in the wild.

In the Redmond giant's latest round of patches, usually released on the second Tuesday of each month on what is known as Patch Tuesday, Microsoft fixed the aforementioned active exploit, as well as seven other "critical" issues: five remote code execution (RCE) bugs and two elevation of privilege (EoP) flaws. The remaining list of 67 exploits are dominated by additional RCE and EoP bugs. A smattering of denial-of-service, information leaks, security feature bypasses, and spoofing issues were corrected as well. 

ZDNet Recommends

The best encryption software The best encryption software From home offices to hybrid cloud solutions, we have you covered.

Products impacted by May's security update include the Windows OS and several of its components; the .NET and Visual Studio platforms; Office and its components; Exchange Server; BitLocker; Remote Desktop Client; NTFS; and Microsoft Edge. 

Some of the most severe vulnerabilities resolved in this update are: 

  • CVE-2022-26925: The only flaw this month listed as being actively exploited. This "important" flaw allows malicious actors to "call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM." Microsoft assigned the flaw a CVSS severity score of 8.1, but noted that if it was combined with NTLM relay attacks, the severity would be bumped up to 9.8. This patch corrects the flaw by detecting and disallowing anonymous connection attempts in LSARPC. 
  • CVE-2022-26923: This "critical" flaw exploits the issuance of certificates by inserting crafted data into a certificate request. This allows the attacker to obtain a certificate which is capable of authenticating a domain controller with a high-level of privilege. It essentially allows the individual with unauthorized authentication to become a domain admin within any domain running Active Directory Certificate Services. This flaw earned a CVSS score of 8.8

Both CVE-2022-26937 and CVE-2022-29972 are also of special note. The former is an RCE vulnerability in the Windows Network File System (NFS) that targets systems in environments with mixed OS use; the latter is a flaw in the Magnitude Simba Amazon Redshift ODBC Driver important enough to earn its own blog post from Microsoft.

Also: Microsoft's latest Windows 11 test build adds new group policies, drops SMB1 enablement by default

According to the Zero Day Initiative (ZDI), this month's fixes fall in line with previous May Patch Tuesdays, resulting in the release of 19 more fixes than the previous year, but five fewer than 2019's equivalent. 

Last month, Microsoft resolved over 100 vulnerabilities in the April batch of security fixes. These included two zero-day vulnerabilities; a known Windows User Profile Service bug leading to privilege escalation; and another EoP flaw in the Windows Common Log File System Driver, which was being actively exploited at the time a security fix was issued. 

In other Microsoft news, Microsoft's Q3 earnings revealed revenues surging across the board, reaching $49.4 billion. Cloud revenue was reported as $23.4 billion, up 32% year-over-year.


Alongside Microsoft's Patch Tuesday, other vendors have published security updates which can be accessed below:

Show Comments