4 critical flaws among 84 fixes in July Patch Tuesday

Microsoft fixed four critical security flaws and one zero-day vulnerability in the July edition of its monthly security update.

The Patch Tuesday release addressed a total of 84 security holes, four of which were deemed to be critical flaws. All four -- CVE-2022-22038, CVE-2022-30221, CVE-2022-22029 and CVE-2022-22039 -- were found in components of Windows and, if exploited, would lead to arbitrary remote code execution.

The only flaw to see active exploitation in the wild, however, was an elevation of privilege vulnerability. CVE-2022-22047 is a vulnerability in the CSRSS component of both Windows and Windows Server.

"It is not something that could be remotely exploited," Ivanti vice president of product management Chris Goettl told SearchSecurity, "but attackers can use this to abuse their privileges."

Azure features prominently in this month's Patch Tuesday, with 33 of the fixes addressing various elevation of privilege vulnerabilities in the cloud platform's Azure Site Recovery, a disaster recovery tool. One of the 33 flaws was discovered by Tenable, which found the tool was vulnerable to DLL hijacking attacks.

"As this vulnerability was discovered in an application used for disaster recovery, we are reminded that had this been discovered by malicious actors, most notably ransomware groups, the impact could have been much wider reaching," said James Sebree, principal research engineer at Tenable, in an advisory.

These flaws, it should be noted, are present in the locally installed builds of Azure, not the cloud service. This means that administrators will need to take extra time to seek out any installations of Azure running on their infrastructure and install patches, which may prove to be a difficult task in larger infrastructures.

"Depending on how good their asset capabilities are, they may or may not know where Azure is," Goettl explained. "This is the type of back-end infrastructure type of vulnerability that often gets lost."

Microsoft's Print Spooler was back in the spotlight as well, with four security flaws being addressed this month, each an elevation of privilege. The service first came under the microscope last summer with an emergency patch for CVE-2021-34527, also known as PrintNightmare, which led to additional Print Spooler vulnerabilities being discovered and patched. The flaws are part of a growing trend of single vulnerabilities leading to multiple discoveries and disclosures.

Also addressed in this month's update was a pair of flaws in AMD's chip architecture, which require updates for Windows. The side-channel vulnerabilities call back to the Spectre and Meltdown flaws that dominated headlines back in 2018.

While the idea of a security vulnerability at the chip level may seem daunting to administrators and defenders, the real-world model for an attack is rather impractical. Goettl told SearchSecurity that, for an attacker to have the level of access needed to go after the chip flaws, a near complete system takeover will need to have already needed to have taken place.

"It is hard to say how much urgency should be placed on this," Goettl said.

While not a security flaw in itself, Goettl noted that administrators should also take into account the recent end of Microsoft support for Internet Explorer. While the browser has long been given a backseat to Edge, admins are likely to find legacy copies left open to attack.

"A lot of organizations were expecting that end of life means it goes away, but no," Goettl said. "I would say to expect several months of IE hanging around."