IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's massive 145-vulnerability Patch Tuesday fixes ten critical exploits

This month's round of patches is now available with some exploits proving to be particularly dangerous

Microsoft has patched considerably more than 100 security vulnerabilities this week, as part of its monthly ‘Patch Tuesday’, including ten rated ‘critical’.

The 145 now-fixed vulnerabilities were dominated by privilege escalation flaws and remote code execution (RCE) vulnerabilities, a total of 55 and 47 respectively. Denial of service, information disclosure, and spoofing flaws comprised the majority of the remainder.

Of the ten critical-rated vulnerabilities, three of them scored nearly maximum marks (9.8), representing a serious threat to organisations. 

All three 9.8-rated vulnerabilities are RCE flaws that require a low degree of attack complexity in order to exploit, two of which are wormable, according to Zero Day Initiative (ZDI).

The first of the two wormable flaws is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is usually blocked at the network perimeter, ZDI said, but it’s still a highly dangerous vulnerability that should be patched swiftly.

The second wormable attack can be exploited through a combination of two vulnerabilities amounting to a critical rating, both affecting the Windows Network File System (NFS) and tracked as CVE-2022-24491 and CVE-2022-24497.

“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction,” said ZDI. “Again, that adds up to a wormable bug – at least between NFS servers. 

“Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) ‘is firewall-friendly and simplifies deployment of NFS.’ Check your installations and roll out these patches rapidly.”

Another of the more notable vulnerabilities was CVE-2022-26904. Found jointly by CrowdStrike and the US National Security Agency, it’s a privilege escalation issue that can be exploited if an attacker can win a race condition.

Microsoft categorised the flaw as ‘high’ complexity in order to exploit it and there is functional proof-of-concept (PoC) code available that works in most situations where the vulnerability exists, it said.

Its CVSS v3 score is comparatively lower than the aforementioned critical vulnerabilities, scoring 7.0, but ZDI also noted that there is a functional Metasploit module also available for CVE-2022-26904. This means the widely abused penetration testing software now has pre-built functionality to exploit the security vulnerability, making attacks easier for cyber criminals.

Related Resource

The Total Economic Impact™ of IBM Security MaaS360 with Watson

Cost savings and business benefits enabled by MaaS360

Whitepaper cover with title and green square graphic to rightFree Download

As with all security vulnerabilities and especially zero-day exploits, businesses are urged to apply the patches as soon as possible to prevent cyber attacks and potential data loss. Now that these vulnerabilities are published, prospective attackers can analyse the exploit methodology and use it to their advantage.

“With so many vulnerabilities to manage, it can be difficult to prioritise,” said Greg Wiseman, Lead Product Manager at Rapid7 to IT Pro. “Thankfully, most of this month’s CVEs can be addressed by patching the core operating system

"Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.”

Full details of this week's round of patches can be found in Microsoft's detailed rundown.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022