07-13-2022 , 05:02 PM
![[Image: figure-1.png?resize=1536,1024]](https://news.sophos.com/wp-content/uploads/2022/07/figure-1.png?resize=1536,1024)
Windows-facing issues make up the bulk of the 85 CVEs addressed, with one vulnerability under active exploit in the wild
Microsoft on Tuesday released patches for 85 vulnerabilities in six Microsoft product families. All but six of those are rated Important in severity, and once again the majority (47) affect Windows. Azure makes up the lion’s share of the remainder with 34 patches in queue, with Edge, Office, Defender, and Xbox Live each receiving one update apiece. Three of the included Important-severity information-disclosure patches actually hail from third parties – two from AMD, one from HackerOne. One Important-class Elevation of Privilege issue, affecting Windows, is currently under active exploit in the wild. One advisory, with connections to Redmond’s long-awaited Windows Autopatch function, is also included in this month’s collection.
There are only four Critical-class vulnerabilities this month, all for Windows, all listed as less likely to be exploited. The sole issue identified as actually under exploit, CVE-2022-22047, affects Client/Server Runtime Subsystem Service (CSRSS); it’s described as an Important-class Elevation of Privilege issue of potentially low attack complexity, requiring low privileges and no user interaction, and affecting both client and server installations. As such, administrators should consider this issue to be worth addressing sooner rather than later.
The two AMD-originated patches are both connected to the chip manufacturer’s own AMD-SB-1037 bulletin, also issued Tuesday. That bulletin addresses Retbleed, a speculative execution attack affecting certain AMD and Intel processors. Retbleed is in turn a variation on a Spectre microarchitectural timing side-channel attack. Retbleed exploits a security defense called retponline, which was developed to counter Spectre-type attacks, but which has been known to be potentially vulnerable to this sort of attack for years. (Intel, also vulnerable, is releasing advisory information this week as well. Microsoft’s patches today do not include that information.)
Aside from the sheer volume of Azure patches, a few issues addressed in July stand out just because Black Hat is on the horizon. Among various researchers regularly reporting issues to Microsoft, Devcore’s Cheng-Da “Orange” Tsai, who earlier this year disclosed the series of Exchange vulnerabilities that became ProxyLogon, is credited with three Important-severity IIS finds in this month’s patch collection. He’ll be speaking on destabilizing IIS’ hash table at next month’s conference.
By the Numbers
Total Microsoft CVEs: 82
Total third-party CVEs also shipping in update: 3
Publicly disclosed: 0
Publicly exploited: 1
Exploitation detected: 1 (both older and newer product versions)
Exploitation more likely: 5 (both older and newer product versions)
Severity
Critical: 4
Important: 80
Low: 1
Impact
Elevation of Privilege: 54
Remote Code Execution: 12
Information Disclosure: 9
Information Disclosure: 9
Tampering: 3
Denial of Service: 2
Spoofing: 1
More info HERE