April 13, 2022

Microsoft on Tuesday released updates to fix roughly 120 security vulnerabilities in its Windows operating systems and other software. Two of the flaws have been publicly detailed prior to this week, and one is already seeing active exploitation, according to a report from the U.S. National Security Agency (NSA).

Of particular concern this month is CVE-2022-24521, which is a “privilege escalation” vulnerability in the Windows common log file system driver. In its advisory, Microsoft said it received a report from the NSA that the flaw is under active attack.

“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” assessed Dustin Childs with Trend Micro’s Zero Day Initiative. “Go patch your systems before that situation changes.”

Nine of the updates pushed this week address problems Microsoft considers “critical,” meaning the flaws they fix could be abused by malware or malcontents to seize total, remote access to a Windows system without any help from the user.

Among the scariest critical bugs is CVE-2022-26809, a potentially “wormable” weakness in a core Windows component (RPC) that earned a CVSS score of 9.8 (10 being the worst). Microsoft said it believes exploitation of this flaw is more likely than not.

Other potentially wormable threats this month include CVE-2022-24491 and CVE-2022-24497, Windows Network File System (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as “exploitation more likely by Microsoft.”

“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data,” said Kevin Breen, director of cyber threat research at Immersive Labs. “It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”

Speaking of wormable flaws, CVE-2022-24500 is a critical bug in the Windows Server Message Block (SMB).

“This is especially poignant as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to propagate at great pace,” Breen added. “Microsoft advises blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this won’t stop exploitation from attackers inside the local network, it will prevent new attacks originating from the Internet.”

In addition, this month’s patch batch from Redmond brings updates for Exchange Server, Office, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler components.

As it generally does on the second Tuesday of each month, Adobe released four patches addressing 70 vulnerabilities in Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce. More information on those updates is available here.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

17 thoughts on “Microsoft Patch Tuesday, April 2022 Edition

  1. Andy Rosa

    120 fixes – Are we going in the wrong direction? Can somebody share a chart vulnerabilities/class/month since win10, and, to quell the fanboys/hateboys, also include Linux?

    1. Reason.d

      Theoretically. Practically speaking it’s the kinds of vulnerabilities that matter, not the amount. As an attacker I only need one valid exploit or exploit chain to compromise any given system. That can happen in 100 (and often does) or 1,000,000 lines of code. Is it more likely in 1,000,000 lines? Sure. But just screaming about lines of code or comparing numbers of vulnerabilities fixed is unhelpful and irrelevant.

  2. Ohalmo

    Thank you and Please Bryan Krebs explain more about the updates program of Windows 10 – 11 enterprise called “autopatch” and that begin in July 2022

  3. Nobby Nobbs

    I run Fedora linux, and at least a dozen patches are issued on most days.
    Not many are security-related. I apply them daily, and in decades I’ve only had them disrupt things twice, both long ago.

    I also run Windows, and 10 has disrupted things more than twice. But many more patches are closing security holes. I wait for Brian’s summary before I apply patches. I have no charts to share, but those are my anecdotal experiences.

    I look forward to seeing how the curves go in the future.

  4. Tony

    Is there a platform out there that does not need 100+patches a month?( A MONTH!!!)

  5. JohnIL

    Every time Microsoft does a new Windows release, they say it will be more secure than the previous one. I have come to expect that Windows will always be targeted and will always be chasing the security vulnerabilities. What’s concerning more to myself recently is how many serious attacks are happening against Chrome. Browsers attacks far more concerning given everyone uses a browser and most are using Chromium.

    1. mealy

      There is only one possibility. Exchange is now fully secure.

  6. Samuel Thayer

    Bill Gates said many years ago that when internet users spend more time defending themselves than using the internet, the internet will fail . .

    1. an_n

      ‘Thankfully’ most users are more or less oblivious to the dangers.

  7. Catwhisperer

    As a Windows user since it came on floppies, my anecdotal experience is that the update architecture has not improved much with time. True, it has become less common for Windows to cause data loss. However, the hit in down time during the update process, i.e. the time between post-update reboot and when you can log in again and do useful work, is still unacceptable. I’ve also noticed a version dependence of update success/down time/operator satisfaction, with Data Center being the absolute best, then Enterprise, then Pro, and finally Home.

    In comparison, a Linux (Ubuntu 20.04) script to automate the update process usually runs in under five minutes, unless there is a distribution upgrade being done.

    However, regardless of update architecture, we will continue to have these issues until software developers are under the auspices of the Engineering Department as opposed to being under the auspices of Marketing. You can make it fast, cheap, secure, but you can only pick two…

  8. George S

    My W10 desktop machine says that I am missing important security fixes …
    Yet when I search for updates all I get is the same warning, nothing to download.
    Also, this has been going on for a few months now.
    Any thoughts?

    1. RS

      Call MS support. Over the years I’ve had to call them a couple times. They were able to resolve my issues and I was never billed.

  9. Alpaca

    Microsoft edge spending a lot of resources use.

  10. GD

    I updated my desktop and notebook yesterday, both running 21H2. Both restarted fine. No observable issues so far.

Comments are closed.