This digest explores the most serious vulnerabilities in popular Windows software for which patches have been provided during the past month. In this issue, you will learn about:
- Key Microsoft vulnerabilities from July’s Patch Tuesday:
- CVE-2022-30216, Windows Server Service Tampering Vulnerability
- CVE-2022-22029, Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-22038, Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2022-22047, Windows CSRSS Elevation of Privilege
- Microsoft Edge vulnerabilities
- Google Chrome vulnerabilities
- Mozilla Firefox vulnerabilities
Microsoft Vulnerabilities
July 2022 Patch Tuesday from Microsoft included fixes for 86 vulnerabilities, four of which are critical. It is a huge release compared to June’s, with 56% more patches and one more critical vulnerability fix.
Here we’ll cover 4 critical vulnerabilities addressed by this Patch Tuesday.
We recommend testing and installing these updates as soon as possible. If it is not possible to update a vulnerable system quickly, it is advisable to remove it from public access behind a VPN until the patch is installed.
Windows Network File System Remote Code Execution Vulnerability
Tracked as CVE-2022-22029, this patch continues a series on NFS vulnerabilities that started in May. The previous patch was for NFSv4.1, and this patch is for NFSv3. That’s very strange, since Microsoft wrote that they fixed version 3 in the May update. It turns out that the May update fixed only NFSv2. This vulnerability has a severity of “critical” because of multi-month history and because it could be exploited over the network to trigger remote code execution (RCE). Its CVSS score is only 8.1 because execution is rather complex and time-consuming; nevertheless, if you are using NFS3, patching is a must.
Windows Server Service Tampering Vulnerability
Windows Server Service Tampering Vulnerability, tracked as CVE-2022-30216, has a CVSS score of 8.8. For successful exploitation of this vulnerability, a malicious certificate needs to be imported on an affected system. An authenticated attacker could remotely upload a certificate to the server service. This is very bad because the certificate could allow malicious code to be run on the server. This attack’s complexity is low, and it puts the integrity, availability, and confidentiality of Windows Server and Windows 10/11 at risk. The exploit is not yet publicly available but exploitation is likely, according to Microsoft.
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability, tracked as CVE-2022-22038, is another critical vulnerability. Its CVSS score is just 8.1 due to high attack complexity — there is no exploit yet, just a PoC. The score could be increased if an exploit is delivered to the darknet.
Windows CSRSS Elevation of Privilege
Windows CSRSS Elevation of Privilege, tracked as CVE-2022-22047, is critical because it is actively exploited in the wild. It has a 7.8 CVSS score because it can be executed only locally. Use of this vulnerability gives an attacker SYSTEM privileges, making it a great bug for privilege escalation. Microsoft doesn’t give any more details, but vulnerabilities of this type are great for taking control over a workstation or server when they are paired with phishing attacks that use Office documents with macros. This vulnerability can likely be combined with Follina to gain full control over a Windows endpoint.
Microsoft Edge Vulnerabilities
Microsoft released an updated version of the Edge 103 browser that fixes four vulnerabilities. The following three were rated as high severity and have a CVSS score of 8.3:
- CVE-2022-33680 could lead to a browser sandbox escape. There is also no exploit available, so the likelihood of exploitation is rather low.
- CVE-2022-30192 is privilege elevation vulnerability.
- CVE-2022-33638 is another privilege elevation vulnerability.
Fortunately, all three of these vulnerabilities are highly complex to perform. An attacker would need to host a website specially designed to exploit the vulnerability and then convince a user to view the website, typically by enticing them via email or instant message, or by getting them to open a malicious email attachment.
Google Chrome Vulnerabilities
Google has released a stable version of Chrome 103 that fixes 14 vulnerabilities, including the following:
- CVE-2022-2156 is the most serious of the fixed bugs. It enables a post-release exploit that could lead to arbitrary code execution, data corruption, or denial of service. Combined with other security issues, the bug could lead to a browser sandbox crash or a complete system compromise.
- CVE-2022-2158 is a high-severity type confusion vulnerability in the V8 JavaScript and WebAssembly engine.
- CVE-2022-2295 involves type confusion in the V8 engine.
- CVE-2022-2296 enables post-release usage in the Chrome OS shell component.
In a previous version of Chrome, Google fixed the browser’s fourth 0-day of this year: CVE-2022-2294, which is heavily exploited in the wild. It is a serious heap-based buffer overflow vulnerability in the WebRTC component; which the consequences of successful exploitation range from RCE to bypassing security solutions.
Mozilla Firefox Vulnerabilities
Mozilla has released an updated version of Firefox 102 that fixes 19 vulnerabilities, including four high severity bugs. The top three are:
- CVE-2022-34470 is the most serious. It is related to a post-exemption exploitation issue in nsSHistory when navigating between XML documents. The vulnerability could be exploited to execute arbitrary code execution, corrupt data, or deny service; when combined with other flaws, it could lead to sandbox exits and complete system compromise.
- CVE-2022-34468 can allow CSP sandbox header traversal without allow-scripts using retargetedjavascript: URI. The bug causes the user to initiate the execution of an iframe script without authorization via a JavaScript link.
- CVE-2022-34484 is a memory security bug inherent in Firefox 101 and Firefox ESR 91.10, which, with enough effort, could be used for remote code execution.
The updated Firefox 102 also includes improved privacy protection by restricting the tracking of query parameters when navigating the internet with strict protection mode (ETP) enabled.
Specifically, Firefox restricts the use of cookies to the sites that created them, which prevents cross-site tracking. The new browser feature allows you to block specific tracking options that websites can use to bypass privacy protections.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available — and deploy them quickly and efficiently? With Action1, you can automate your patch management process, from identifying missing updates to streamlining compliance reporting, across both Windows OS and third-party software.
Get started today and use Action1 on 100 endpoints free of charge, with no functionality limitations.