Microsoft has released more than 100 software security patches that address critical issues, including two zero days.
In the Redmond behemoth’s latest round of patches, usually released on the second Tuesday of every month as part of what’s known as Patch Tuesday, Microsoft fixed issues including numerous remote code execution bugs. (RCE), elevation of privilege (EoP), denial of service, information leaks and identity theft. A total of 10 vulnerabilities are classified as critical.
Products affected by the April security update include Windows operating system, Microsoft Office, Dynamics, Edge, Hyper-V, File Server, Skype for Business, and Windows SMB.
The zero-day vulnerabilities addressed in this update are:
- CVE-2022-26904: This known zero-day flaw affects the Windows User Profile Service and is described as an EoP vulnerability. The bug was given a CVSS severity score of 7.0 and its attack complexity is rated “high” because “successful exploitation of this vulnerability requires an attacker to win a race condition,” according to Microsoft.
- CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System driver. Released a CVSS score of 7.8, Microsoft says the complexity of the attack is low and the company has detected active exploitation, although the flaw has not been made public so far.
Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also worth noting. These vulnerabilities, which affect the execution of remote procedure calls and the Windows network file system, have achieved CVSS scores of 9.8 and can be exploited to trigger RCE.
According to the Zero Day Initiative (ZDI), the patch volume level is similar to Q1 2021.
Last month, Microsoft addressed 71 vulnerabilities in the March security patch bundle. Among the bugs addressed are CVE-2022-22006 and CVE-2022-24501, which are the only two critical bugs fixed. In February, Microsoft patched 48 vulnerabilities, including a zero-day security flaw.
In other Microsoft news, the tech giant is planning a change that could spell the end of Patch Tuesday as we know it. Dubbed Windows Autopatch, the automatic Windows and Office software update service will be rolled out to enterprise customers to ensure they have access to security patches faster, rather than waiting for a monthly update – with the exception of unscheduled emergencies. versions.
Windows Autopatch is expected to be released in July 2022.
Continue reading: Microsoft: Windows Autopatch is coming soon. Here’s what you need to know
Along with Microsoft’s Patch Tuesday series, other vendors have also released security updates accessible below.