Microsoft patches two zero-days, 10 critical bugs
Two zero-day vulnerabilities — one previously disclosed and allegedly fixed twice — are among the 119 total bugs Microsoft fixed in its April 2022 Patch Tuesday update, along with more than 20 Chromium vulnerabilities in the Edge browsers.
The vulnerabilities in question are CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System Driver that is exploited but not public; and CVE-2022-26904, an elevation of privilege vulnerability in the Windows User Profile service that is public but not exploited. Both vulnerabilities have CVSS scores between seven and eight, which are classified as important.
As mentioned above, CVE-2022-26904 is of particular interest this month as it was scheduled to be fixed in the August 2021 update when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and when that was repaired again in January, he went and bypassed it a second time. It is known to be difficult to exploit as a malicious actor needs to time its attack perfectly in order to win what is known as a “race condition”.
Of the other vulnerabilities, 10 are rated as critical, 115 as important, and three as moderate, making the April update the largest of 2022 so far. For more details on some of this month’s other stronger vulnerabilities, click here.
While large in scope, the April drop might ultimately prove more notable given that it’s one of Microsoft’s final Patch Tuesday updates — at least in its current form. In early April, Redmond announced plans to introduce a new service called Windows Autopatch as a feature of Windows Enterprise E3 licenses, covering Windows 10, 11 and Windows 365. This will be available in July 2022.
“This service automatically keeps Windows and Office software on registered endpoints up to date at no additional cost. IT admins can free up time and resources to add value. The second Tuesday of the month will be ‘just another Tuesday,'” Microsoft’s Lior Bela said.
According to Bela, the development of the service was prompted by the growing complexity of enterprise IT environments, which has vastly increased the number of potential vulnerabilities that can be patched, leading to security vulnerabilities if patches are not applied in a timely manner.
“By automating the management of updates, Autopatch can respond to changes in a timely manner and provide confidence in introducing new changes and closing the protection and productivity gaps,” said Bela.
“The value should be felt immediately by IT admins who don’t need to plan for rolling out and sequencing updates, and over the long term as the increased bandwidth gives them more time to focus on adding value. Quality updates should improve device performance and reduce helpdesk tickets – feature updates should provide users with an optimal experience with increased uptime and new tools to create and collaborate.”
At its core, the service will rely on a progressive rollout of patches through a series of so-called rings. Going forward, the patching process will begin with a small core of devices used for testing and validation purposes before cascading further into the rest of the enterprise inventory, with additional features called halt, rollback, and selectivity coming into play, break if something happens.
Microsoft believes this will help improve the autopatch service and bring peace of mind to end-user security teams.
“Keeping software up to date is one of the most effective preventive measures a company can take. Cyber attacks are not magic, and by patching systems quickly, organizations can reduce the available attack surface,” said Tim Erlin, strategy vice president at Tripwire.
“Microsoft has long supported automatic updates, but this fundamental capability has never addressed the myriad potential problems of large-scale patching. Autopatch aims to implement a more robust process for deploying updates, including testing and phasing.
“For organizations that already use automatic updates, Autopatch should make their lives easier. And for organizations that haven’t applied updates automatically, Autopatch should allow them to do so.”
For more information about the Windows Autopatch service, see an FAQ compiled by Microsoft.