Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered the zero-day flaw in the Windows Client Server Runtime Subsystem (CSRSS), which allows an attacker with low-level privileges to gain the highest SYSTEM-level privileges on all versions of Windows. Microsoft hasn't said how widely it is being exploited or how the attacks are taking place.
"Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft's delay in blocking all Office macros by default," wrote Childs.
Rapid7 notes that Microsoft fixed two other CRSS flaws (CVE-2022-22049 and CVE-2022-22026) likely after investigating the one that's already being exploited in the wild.
The four critical flaws are remotely exploitable and include CVE-2022-22029 and CVE-2022-22039. These two affect network file system (NFS) servers.
The third critical flaw (CVE-2022-22038) affects the Windows remote procedure call runtime while the fourth, CVE-2022-30221, affects the Windows graphics component and could be useful for ransomware attackers that target victims through remote desktop protocol (RDP).
"An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user," Microsoft warns.
But the issue only affects Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 if RDP 8.0 or RDP 8.1 is installed.
Additionally, an unusually large 32 vulnerabilities affect the Microsoft Azure Site Recovery service, Microsoft's disaster recovery service for cloud with replication, recovery and failover features.
Researchers at security firm Tenable reported CVE-2022–33675, a DLL hijacking flaw in Azure Site Recovery, to Microsoft. It also allows an attacker with low privileges to elevate up to SYSTEM-level by loading a software library (DLL) within an application. Microsoft says this style of attack is "very convenient" for attackers because it easily gives them code execution capabilities.
Tenable argues it is a useful bug for ransomware gangs because it is in an application used for disaster recovery, it notes in its advisory.
Per the Zero Day Initiative, the July Patch Tuesday update has fixes for Microsoft Windows and Windows Components, Windows Azure components, Microsoft Defender for Endpoint, Microsoft Edge, Office and Office Components, Windows BitLocker, Windows Hyper-V, Skype for Business and Microsoft Lync, Open-Source Software, and Xbox.