In its July patchload, Microsoft addressed a total of 84 flaws, one of which was being actively exploited in the wild. Meanwhile, four critical vulnerabilities were also fixed in the July Patch Tuesday, the first one after Microsoft rolled out its Autopatch service.Â
The July patchload was a big one compared to June, with 56% more patches, including one additional for acritical vulnerability. Classified by severity, 80 were rated important, and four as critical. All 84 patches are further classified as follows:Â
- 52 Elevation of Privilege vulnerabilities
- FourSecurity Feature Bypass vulnerabilities
- 12 Remote Code Execution vulnerabilities
- 11 Information Disclosure vulnerabilities
- Five Denial of Service vulnerabilities
All four critical vulnerabilities fixed in July are remote code execution (RCE).Â
CVE-2022-30221: Windows Graphics Component Remote Code Execution Vulnerability
The first critical fix rolled out this month is for CVE-2022-30221, an RCE bug that resides in the Windows Graphics Component. It exists in the way it handles objects in memory. Although CVE-2022-30221 had the highest CVSS rating of 8.8 among the 84 flaws, its exploitation was termed “less likely†by Microsoft.Â
CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability
CVE-2022-22029 (CVSS: 8.1) resides in the Network File System (NFS) service and requires no user interaction to be exploited. The exploitation requires making an unauthenticated, specially crafted call to NFS, a component featured in the third consecutive Patch Tuesday.Â
This patch continues a series on NFS vulnerabilities that started in May. The previous patch was for NFSv4.1, and this patch is for NFSv3. That’s very strange since Microsoft wrote that they fixed version 3 in the May update,†Mike Walters, cybersecurity executive and co-founder of Action1, told Spiceworks, “It turns out that the May update fixed only NFSv2.â€
“This vulnerability has a severity of ‘critical’ because of multi-month history and because it could be exploited over the network to trigger remote code execution (RCE). Its CVSS score is only 8.1 because execution is rather complex and time-consuming; nevertheless, if you are using NFS3, patching is a must,†Walters explained.
CVE-2022-22038: Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2022-22038 (CVSS: 8.1) has a high attack complexity making its exploitation less likely. Similar to CVE-2022-22029, this vulnerability also requires the attacker to continuously exploit the vulnerability by sending constant or intermittent data.
Walters told Spiceworks that for CVE-2022022038, “there is no exploit yet, just a PoC. The score could be increased if an exploit is delivered to the darknet.â€
Dustin Childs of Trend Micro’s Zero Day Initiative advised testing and patching this one quickly because exploitation attempts could be scripted, thus making them consistent. He added that CVE-2022-22038’s CVSS score could be as high as 9.8 if not for the low attack complexity.
CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability
The exploitation of CVE-2022-22039 is similar to CVE-2022-22029, except that in this case, the attacker needs to win a race condition for successful exploitation.
A couple of other important bugs which were patched include the zero-day CVE-2022-22047 (CVSS: 7.8), which Microsoft said is under active attack, and CVE-2022-30216 (CVSS: 8.8). CVE-2022-30216 can allow an authenticated threat actor to tamper with critical target servers. Tampering involves uploading a malicious certificate in the target server to elevate privileges and possibly execute code.
On the other hand, CVE-2022-22047 can be paired with other vulnerabilities. Walters added, “Use of this (CVE-2022-22047) vulnerability gives an attacker SYSTEM privileges, making it a great bug for privilege escalation. Microsoft doesn’t give any more details, but vulnerabilities of this type are great for taking control over a workstation or server when they are paired with phishing attacks that use Office documents with macros. This vulnerability can likely be combined with Follina to gain full control over a Windows endpoint.â€
Cybersecurity expert Kevin Beaumont made a thread on Twitter explaining important bugs from the July Patch Tuesday:
My monthly Patch Tuesday 7B hype check megathread follows, here’s my initial view on real world risks posed this month:
— Kevin Beaumont (@GossiTheDog) July 12, 2022Opens a new window
For the complete list of security patches that Microsoft rolled out in July Patch Tuesday, refer to the Redmond-based tech giant’s security update guideOpens a new window .Â
The 84 vulnerabilities fixed in July Patch Tuesday exist in Microsoft Windows and Windows Components, Office and Office Components, Windows BitLocker, Windows Azure components, Windows Hyper-V, Microsoft Defender for Endpoint, Xbox and Microsoft Edge, and other products.
What are your thoughts on July Patch Tuesday? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .Â