Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates

Microsoft on Tuesday rolled out fixes for as many as?74 security vulnerabilities , including one for a zero-day bug that's being actively exploited in the wild.

Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release.

These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to?36 flaws ?patched in the Chromium-based Microsoft Edge browser on April 28, 2022.

Chief among the resolved bugs is?CVE-2022-26925 ?(CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority (LSA ), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system."

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using?NTLM ," the company said. "This security update detects anonymous connection attempts in LSARPC and disallows it."

It's also worth noting that the severity rating of the flaw would be elevated to 9.8 if it were to be chained with?NTLM relay attacks ?on Active Directory Certificate Services (AD CS) such as?PetitPotam.

"Being actively exploited in the wild, this exploit allows an attacker to authenticate as approved users as part of an NTLM relay attack - letting threat actors gain access to the hashes of authentication protocols," Kev Breen, director of cyber threat research at Immersive Labs, said.

The two other publicly-known vulnerabilities are as follows -

• CVE-2022-29972 ?(CVSS score: 8.2) - Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver (aka?SynLapse)
• CVE-2022-22713 ?(CVSS score: 5.6) - Windows Hyper-V Denial-of-Service Vulnerability

Microsoft, which remediated CVE-2022-29972 on April 15, tagged it as "Exploitation More Likely" on the Exploitability Index, making it imperative affected users apply the updates as soon as possible.

Also patched by Redmond are several RCE bugs in Windows Network File System (CVE-2022-26937 ), Windows LDAP (CVE-2022-22012 ,?CVE-2022-29130 ), Windows Graphics (CVE-2022-26927 ), Windows Kernel (CVE-2022-29133 ), Remote Procedure Call Runtime (CVE-2022-22019 ), and Visual Studio Code (CVE-2022-30129 ).

Cyber-Kunlun, a Beijing-based cybersecurity company, has been credited with reporting?30 of the 74 flaws , counting CVE-2022-26937, CVE-2022-22012, and CVE-2022-29130.

What's more, CVE-2022-22019 follows an incomplete patch for?three RCE vulnerabilities?in the Remote Procedure Call (RPC) runtime library — CVE-2022-26809, CVE-2022-24492, and CVE-2022-24528 — that were addressed by Microsoft in April 2022.

Exploiting the flaw would allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service, Akamai?said .

The Patch Tuesday update is also notable for resolving two privilege escalation (CVE-2022-29104 ?and?CVE-2022-29132 ) and two information disclosure (CVE-2022-29114 ?and?CVE-2022-29140 ) vulnerabilities in the Print Spooler component, which has long posed an attractive target for attackers.