Microsoft patched a zero-day bug in its latest Patch Tuesday update this week that allowed remote execution on Windows machines and which is already being exploited in the wild.
CVE-2022-22047 is an elevation of privilege vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS), which is responsible for Windows features, including console windows and the shutdown process. Details on how to exploit the bug are understandably scarce given that it has not yet been publicly disclosed, but an attack that succeeds can gain SYSTEM privileges in Windows.
Microsoft only ranked this bug as important, which could cause some customers to miss it. Nevertheless, its exploitation in the wild makes it crucial for organizations to patch it as soon as possible.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list and given federal agencies three weeks to patch it. The patches are mandatory under Binding Operational Directive 22-01, issued in November, which forces agencies to fix bugs in the KEV list.
There were four critical bugs in Microsoft’s patch Tuesday rollout. CVE-2022-22029 and CVE-2022-22039 affect the Windows Network File System. These vulnerabilities enable remote code execution. They are exploitable with a maliciously crafted call to an NFS service.
The CVE-2022-22038 bug, also listed as critical, is a remote code execution vulnerability in the Windows RPC runtime. An attacker can exploit it by sending “constant or intermittent data,” according to Microsoft.
The final critical bug in the lineup was CVE-2022-30221, a flaw in the Windows Graphics Component, which also allows for remote code execution. To exploit this flaw, an attacker would need to target machines with RDP 8.0 or 8.1, said Microsoft. They would have to convince a user to connect to a malicious RDP server that could then execute remote code on the victim’s system.
Adobe also released updates for its Acrobat, Acrobat Reader, Robohelp, Animater, and Photoshop programs on Tuesday. The Acrobat and Reader updates fixed over 20 vulnerabilities, including some that allowed arbitrary code execution.