Microsoft Patch Tuesday: 86 flaws, four critical, one being used in attacks

Admins need to patch four critical Windows flaws this month. There's also a surprisingly large number of flaws fixed in the Azure disaster recovery service.
Written by Liam Tung, Contributing Writer
Black woman working on a computer in an office technology room.
Image: Jetta Productions Inc/Getty Images

Microsoft has released its July 2022 Patch Tuesday update to address 84 flaws affecting Windows and two affecting its Chromium-based Edge browser. 

It's the first Patch Tuesday after Microsoft this week officially launched its Autopatch service for enterprise customers on Windows or Microsoft 365 E3 and E5 licenses. While Autopatch takes the legwork out of Patch Tuesday for admins with these licenses, Patch Tuesday rolls on for everyone else and enterprises that haven't enrolled devices in Autopatch. 

There are just four of the 84 Windows and Azure flaws that qualified as 'critical' with the remaining 80 rated as 'important'. One, which tracked as CVE-2022-22047, is already under attack. 

SEE: The 10 best Windows laptops: Top notebooks, 2-in-1s, and ultraportables

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered the zero-day flaw in the Windows Client Server Runtime Subsystem (CSRSS), which allows an attacker with low-level privileges to gain the highest SYSTEM-level privileges on all versions of Windows. Microsoft hasn't said how widely it is being exploited or how the attacks are taking place.

However, the CSRSS bug is one reason why Microsoft's decision to roll back its block on internet VBA macros in Office documents was controversial, according to Dustin Childs of the Zero Day Initiative. 

"Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft's delay in blocking all Office macros by default," wrote Childs.  

Rapid7 notes that Microsoft fixed two other CRSS flaws (CVE-2022-22049 and CVE-2022-22026) likely after investigating the one that's already being exploited in the wild. 

The four critical flaws are remotely exploitable and include CVE-2022-22029 and CVE-2022-22039. These two affect network file system (NFS) servers. 

The third critical flaw (CVE-2022-22038) affects the Windows remote procedure call runtime while the fourth, CVE-2022-30221, affects the Windows graphics component and could be useful for ransomware attackers that target victims through remote desktop protocol (RDP). 

"An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user," Microsoft warns

But the issue only affects Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 if RDP 8.0 or RDP 8.1 is installed.

Additionally, an unusually large 32 vulnerabilities affect the Microsoft Azure Site Recovery service, Microsoft's disaster recovery service for cloud with replication, recovery and failover features.

Researchers at security firm Tenable reported CVE-2022–33675, a DLL hijacking flaw in Azure Site Recovery, to Microsoft. It also allows an attacker with low privileges to elevate up to SYSTEM-level by loading a software library (DLL) within an application. Microsoft says this style of attack is "very convenient" for attackers because it easily gives them code execution capabilities. 

Tenable argues it is a useful bug for ransomware gangs because it is in an application used for disaster recovery, it notes in its advisory.

SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today

The Microsoft Edge browser also gains fixes for two flaws affecting its Chromium foundation, including the WebRTC zero-day flaw (CVE-2022-2294) that affected Chrome and was disclosed by Google last week. It's a big month for Edge in the enterprise due to IE 11 reaching end of life in June. Now the main way to enable legacy IE applications and websites is 'IE mode' in Chromium Edge. 

Per the Zero Day Initiative, the July Patch Tuesday update has fixes for Microsoft Windows and Windows Components, Windows Azure components, Microsoft Defender for Endpoint, Microsoft Edge, Office and Office Components, Windows BitLocker, Windows Hyper-V, Skype for Business and Microsoft Lync, Open-Source Software, and Xbox. 

Editorial standards