Microsoft's April Patch Tuesday update addresses two zero-days

One of them is under active attack

Microsoft has released its April 2022 Patch Tuesday update, addressing a total of 119 security vulnerabilities, including two zero-days.

Of all the vulnerabilities fixed this month, 10 are rated 'critical', meaning they can be exploited by attackers to gain remote access to vulnerable Windows systems without any help from the user.

In the Redmond giant's latest round of patches, 47 vulnerabilities are described as elevation of privilege (EoP) flaws, 47 remote code execution (RCE), 13 information disclosure, nine denial of service (DoS), and three as spoofing vulnerabilities.

In addition, Microsoft has also plugged 26 security holes in its Chromium-based Edge browser, bringing the total of vulnerabilities fixed this month to 145.

This month's security update includes fixes for two zero-days, one publicly known and the other under active attack at the time of release.

The actively exploited flaw (CVE-2022-24521) is an EoP issue impacting the Windows Common Log File System (CLFS) Driver. The flaw has been issued a CVSS score of 7.8 out of 10, and the attack complexity of this bug is low, according to Microsoft.

Microsoft credited the US National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine for the discovery of the flaw.

The second publicly-known zero-day (CVE-2022-26904) is also an EoP vulnerability, which exists in the Windows User Profile Service. The bug has received a CVSS severity score of 7.0 and Microsoft says its attack complexity is 'high' as 'successful exploitation requires an attacker to win a race condition'.

Other notable vulnerabilities addressed this month are CVE-2022-24491 and CVE-2022-26809, both of which are 'critical' bugs and impact Windows Network File System and Remote Procedure Call Runtime, respectively.

They received CVSS scores of 9.8 and their exploitation can trigger remote code execution.

Other critical vulnerabilities addressed this month are: CVE-2022-26919, CVE-2022-23259, CVE-2022-22008, CVE-2022-24537, CVE-2022-23257, CVE-2022-24497, CVE-2022-24541, and CVE-2022-24500.

Also addressed are a number of EoP flaws affecting the Windows Print Spooler component.

The patches arrive about a week after Microsoft revealed plans to make available a feature called Autopatch in July 2022 which would enable organisations to keep Windows and Office software up-to-date.

Microsoft claims that with the introduction of Windows Autopatch, Patch Tuesday will become "just another Tuesday".

"With Autopatch coming over the horizon to help security teams prioritize and patch with a greater deal of automation, the monthly Patch Tuesday regime may soon become a thing of infosec lore," said Kev Breen, director of cyber threat research at Immersive Labs.

"Top of the priority list this month should be CVE-2022-24521 as, while only scoring 7.2, it is seeing active exploitation."

"A pair of 9.8 scoring remote code execution vulnerabilities (CVE-2022-24491 and CVE-2022-24497) in Windows Network File System (NFS) also have the potential to be damaging. These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data."

Greg Wiseman, lead product manager at Rapid7, said: "From Defender to Windows, Office to Azure, this month's Patch Tuesday has a large swath of Microsoft's portfolio getting vulnerabilities fixed.

"With so many vulnerabilities to manage, it can be difficult to prioritise. Thankfully, most of this month's CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems.

"The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter - victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won't help much if the malicious system was set up within the perimeter."