July 12, 2022

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.

Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.

As Ars Technica veteran reporter Dan Goodin put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”

But last week, Microsoft abruptly changed course. As first reported by BleepingComputer, Redmond said it would roll back the changes based on feedback from users.

“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.

Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.

The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s Zero Day Initiative notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”

Kevin Breen, director of cyber threat research at Immersive Labs, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.

“Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,” he said. “With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

After a brief reprieve from patching serious security problems in the Windows Print Spooler service, we are back to business as usual. July’s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. Experts at security firm Tenable note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.

Roughly a third of the patches issued today involve weaknesses in Microsoft’s Azure Site Recovery offering. Other components seeing updates this month include Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; and Xbox.

Four of the flaws fixed this month address vulnerabilities Microsoft rates “critical,” meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. CVE-2022-22029 and CVE-2022-22039 affect Network File System (NFS) servers, and CVE-2022-22038 affects the Remote Procedure Call (RPC) runtime.

“Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,” said Greg Wiseman, product manager at Rapid7. “CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.”

Separately, Adobe today issued patches to address at least 27 vulnerabilities across multiple products, including Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

23 thoughts on “Microsoft Patch Tuesday, July 2022 Edition

  1. zoxim

    This month’s update for Windows 8.1 adds a nag screen to tell users that Microsoft is ending tech and security support next January. This includes a link to their website for suggestions as to what to do. Basically, they tell you to buy another computer.

    1. Wanou

      Basically, running windows 8 means you are running a computer you bought (a lot) more than 6 years ago, and you did not let it upgrade to windows 10.
      Most of the time because Windows 10 was not supported on it (low end cpu…)

      So, yeah, time to upgrade your AMD E1-1200 laptop.

    2. Catwhisperer

      What? They didn’t tell you to migrate to Linux? That machine that becomes chilled molasses on Windows 10 (if it runs at all) will run perfectly on a small footprint Linux distro, and a desktop environment like XFCE.

      1. K A

        @Catwhisperer – Linux – given away for free for 30 years and still just 2% of the world’s desktop. Do you get annoyed by jehovah witnesses who just won’t shut up? Then stop acting like them!

        1. QA

          *ux is a widespread backbone technology, so trying to make it appear insignificant shines more of a light on your own insignificant understanding of the subject matter. The point was that the lightweight platform is better suited for older HW laptops than the latest Windows which will now not install on them anyway. It’s valid to the point of being obvious, but certainly not prosthelytizing or annoying to point out. There is not a comparable alternative that’s as extensible and also completely free. If Windows were an option no doubt they would continue using that, but for that HW it no longer is. If the internet of information annoys you, perhaps you’re just using it wrong.

    3. Brain2000

      Apply would have kicked you out 6 years ago.
      Put an SSD in it and upgrade.
      I updated mine free of charge. Not sure if that is still offered.

  2. Jeff Martin

    ““While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.”

    My org has been using the block for years, and also found that the unblock feature is sporadically missing. We’ve never relied on it or trained for it. There area other ways to remove the ‘mark of the web’, the easiest of which is to use the Save As feature in the app, this makes a new, unmarked copy.

  3. James P. Goltz

    Any chance the “negative feedback” came from the NSA et al., who may have some zero-days that require macros?

  4. Catwhisperer

    I’ve developed the habit of running sfc /scannow after the monthly Update Tuesday’s, and low and behold, one laptop detected errors, requiring DISM to resolve. Do your due diligence folks in checking Microsoft’s work, LOL!

  5. sroh

    where is the internet explorer browser uninstall tool?

  6. KFritz

    An amusing story from LinuxWorld: for whatever reason, Ubuntu chose today to issue the largest Security Update I’ve seen in over a decade of use. And while it’s not as slow as the Redmond Crawl, it’s still also the slowest Ubuntu update I’ve seen. ?Coincidence?

    1. an_n

      Coincidence. Unless you can think of a possible link. I can’t.

  7. E

    Looks like this update broke automatic maintenance, it will now never complete.

    Normally, maintenance completes before power management suspends your PC; if maintenance completes when scheduled, it will not automatically run again until the next scheduled run. If it is interrupted, however, it will restart the next time your PC is idle.

    With this update, now no matter how long you leave the system idle, automatic maintenance never completes, it’s always in progress…

    This will probably cause performance issues.

  8. John B

    Updated my Win10 Home OS today earlier than normal (usually wait a week). No problems encountered.

  9. OldNavyGuy

    Updated Windows 10 Pro 21H2 system.

    No issues.

  10. gtodon

    This latest update has made the WinX menu (also known as the Power Menu or Power User Menu) disappear from my Windows 11 laptop. The first time this happened, I did a system restore to a few days earlier, and the menu returned. But then I allowed the update again, and the menu disappeared again.
    The WinX menu isn’t essential, but I’m going to miss its convenience if I can’t get it back somehow. If you don’t know what I’m talking about, it’s the “context menu that provides quick access to some of Windows’ more advanced or frequently accessed features,” as How-To Geek describes it. The list includes Device Manager, Event Viewer, Task Manager, Run, and much more. All of those options are available elsewhere, but having them on the WinX menu was super convenient. The menu can normally be opened either by right-clicking the Start button or by hitting the Windows and X keys at the same time.
    If anyone has any ideas about how to get this menu back, I’d love to hear them.

  11. Chris Gowing

    Updated Windows 10 Home on Wednesday. Discovered that the scan function on my all-in-one printer was “unreachable”.
    Did a system restore (a three hour task) and scanner was again working. Now Update wants me to re-install the July cumulative. Not sure what to do now. Any ideas? As you can see, I’m no computer expert, but a long term reader of Brian’s.

    1. an_n

      Try uninstalling printer, the all-in-1 sw + driver, reboot, (optional reg/dir cleanup)
      WUpdate, then fresh installing the printer suite from updated package repo.
      Check functionality. Then Wupdate again and recheck.

      If MS blows it up again on print spooler updates I will not be surprised.

  12. Handsoff

    It’s true that July cumulative updates for Windows 7 brought another 3 esu years?

  13. KR

    Thanks to those who provided relevant reports on their updates.

    I updated my desktop and notebook last evening, both W10 21H2. Both restarted OK. No issues observed as yet.

Comments are closed.