Microsoft has released a total of 74 new security fixes for its software products. This includes one “important” flaw (a Windows LSA Spoofing Vulnerability) that was being actively exploited in the wild.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month on what is known as Patch Tuesday, Microsoft fixed the aforementioned active exploit, as well as seven other “critical” issues: five remote code execution (RCE) bugs and two elevations of privilege (EoP) flaws. The remaining list of 67 exploits is dominated by additional RCE and EoP bugs. A smattering of denial-of-service, information leaks, security feature bypasses, and spoofing issues were corrected as well.
Products impacted by May’s security update include the Windows OS and several of its components; the .NET and Visual Studio platforms; Office and its components; Exchange Server; BitLocker; Remote Desktop Client; NTFS; and Microsoft Edge.
Some of the most severe vulnerabilities resolved in this update are:
- CVE-2022-26925: The only flaw this month listed as being actively exploited. This “important” flaw allows malicious actors to “call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.” Microsoft assigned the flaw a CVSS severity score of 8.1 but noted that if it was combined with NTLM relay attacks, the severity would be bumped up to 9.8. This patch corrects the flaw by detecting and disallowing anonymous connection attempts in LSARPC.
- CVE-2022-26923: This “critical” flaw exploits the issuance of certificates by inserting crafted data into a certificate request. This allows the attacker to obtain a certificate that is capable of authenticating a domain controller with a high level of privilege. It essentially allows the individual with unauthorized authentication to become a domain admin within any domain running Active Directory Certificate Services. This flaw earned a CVSS score of 8.8
Both CVE-2022-26937 and CVE-2022-29972 are also of special note. The former is an RCE vulnerability in the Windows Network File System (NFS) that targets systems in environments with mixed OS use; the latter is a flaw in the Magnitude Simba Amazon Redshift ODBC Driver important enough to earn its own blog post from Microsoft.
According to the Zero Day Initiative (ZDI), this month’s fixes fall in line with previous May Patch Tuesdays, resulting in the release of 19 more fixes than the previous year, but five fewer than 2019’s equivalent.
Last month, Microsoft resolved over 100 vulnerabilities in the April batch of security fixes. These included two zero-day vulnerabilities; a known Windows User Profile Service bug leading to privilege escalation; and another EoP flaw in the Windows Common Log File System Driver, which was being actively exploited at the time a security fix was issued.
In other Microsoft news, Microsoft’s Q3 earnings revealed revenues surging across the board, reaching $49.4 billion. Cloud revenue was reported as $23.4 billion, up 32% year-over-year.