Home / About / Threat Intelligence / Microsoft releases patch orchestration tools along with July update cycle

Overview

Microsoft has released Windows Autopatch, a service designed to manage updates on enterprise networks. The service for E3 and E5 customers groups networks into “testing rings” to progressively roll out updates to the organisation.

This month’s update cycle includes fixes for 84 vulnerabilities. This includes a local privilege escalation vulnerability (CVE-2022-22047) in CSRSS which Microsoft says has been exploited in the wild as well as four critical remote code execution (RCE) vulnerabilities.

One of these is in the Remote Procedure Call (RPC) run-time, and two in the Network File System (NFS), all of which could be exploited over the network. The other one is in the Windows Graphics Component which requires the victim machine to connect to a malicious RDP server.

All four have been given an exploitability assessment of “less likely”, mostly due to the practical difficulty in abusing them. Eight other RCEs are rated as important.

As well as the 12 RCEs there are fixes for 52 Elevation of Privilege (EoP), five Denial of Service (DoS), 11 Information Disclosure and four Security Feature Bypass vulnerabilities.

Impact

An attacker with local access to a machine can gain system-level privileges. An attacker with network access to RPC or NFS services could execute code on the machine. An attacker who can trick a victim into connecting to a malicious RDP server could execute code on their machine.

Affected Products

  • AMD CPU Branch
  • Azure Site Recovery
  • Azure Storage Library
  • Microsoft Defender for Endpoint
  • Microsoft Graphics Component
  • Microsoft Office
  • Open Source Software
  • Role: DNS Server
  • Role: Windows Fax Service
  • Role: Windows Hyper-V
  • Servicing Stack Updates
  • Skype for Business and Microsoft Lync
  • Visual Studio
  • Windows Active Directory
  • Windows Advanced Local Procedure Call
  • Windows BitLocker
  • Windows Boot Manager
  • Windows Client/Server Runtime Subsystem
  • Windows Connected Devices Platform Service
  • Windows Credential Guard
  • Windows Digital TV Tuner
  • Windows Fast FAT Driver
  • Windows Fax and Scan Service
  • Windows Group Policy
  • Windows IIS
  • Windows Kernel
  • Windows Media
  • Windows Network File System
  • Windows Performance Counters
  • Windows Point-to-Point Tunneling Protocol
  • Windows Portable Device Enumerator Service
  • Windows Print Spooler Components
  • Windows Remote Procedure Call Runtime
  • Windows Security Account Manager
  • Windows Server Service
  • Windows Shell
  • Windows Storage
  • XBox

Containment, Mitigations & Remediations

Update installation: Microsoft has released several security updates for vulnerabilities. Our recommendation is to install these updates to protect your environment.

Indicators of Compromise

None published at this time.

Threat Landscape

CISA, the US Cybersecurity & Infrastructure Security Agency, has added the zero-day to their Known Exploited Vulnerabilities (KEV) catalogue and urged federal agencies to patch within the next three weeks. MSTIC have not published details on how the exploit was used in attacks.

Mitre Methodologies

  • T1190 – Exploit Public-Facing Application
  • T1068 – Exploitation for Privilege Escalation
  • T1210 – Exploitation of Remote Services

Further Information

Microsoft Security Update Guide