Microsoft's monthly patch includes four serious bugs

Microsoft’s Patch Tuesday was largely uneventful, but there are four vulnerabilities to watch out for out of 86 that were patched.

CVE-2022-22047 rates as “high” severity with a Common Vulnerabilities Scoring System score of 7.8.

America’s Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerability catalogue.

CISA’s catalogue entry states that “Microsoft Windows CSRSS (Client Server Run-Time Subsystem) contains an unspecified vulnerability which allows for privilege escalation to SYSTEM privileges.”

As noted by The SANS Institute’s Renato Marinho: “The CSRSS is the user-mode process that controls the underlying layer for the Windows environment”, adding that a successful exploit gives the attacker SYSTEM privileges.

Microsoft said the attack complexity is low, the privileges required are low and no user interaction is required.

The bug was discovered by Microsoft researchers.

CVE-2022-22026 also affects the CSRSS service, and has a CVSS score of 8.8.

Microsoft said a local, authenticated attacker “could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM.

“The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Sergei Glazunov from Google Project Zero is credited with finding that bug.

Next on the list is CVE-2022-30221, also with a CVSS score of 8.8.

This is a remote code execution vulnerability in a Windows Graphics Component that affects Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, and only if RDP 8.0 or RDP 8.1 are deployed.

Microsoft’s advisory explained that user interaction is required: “An attacker would have to convince a targeted user to connect to a malicious RDP server.

"Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.”

The bug was found by Colas Le Guernic and Jeremy Rubert of Thalium, and a researcher who remained anonymous.

Finally, also with a CVSS score of 8.8, there’s CVE-2022-30216, affecting the Windows Server Service.

While details are scant, Microsoft said: “For successful exploitation, a malicious certificate needs to be imported on an affected system. An authenticated attacker could remotely upload a certificate to the server service.”

This vulnerability was discovered by Ben Barnea at Akamai Technologies.

Microsoft also announced on Monday that Windows Autopatch, “a service that uses the Windows Update for Business solutions on your behalf”, is now available for customers with Windows Enterprise E3 and E5 licenses.