US Feds urge agencies to patch a Microsoft July Patch Tues. 2022 bug that is being exploited in the wild by Aug. 2.
A Windows 11 vulnerability, part of Microsoft’s Patch Tues. roundup of fixes, is being exploited in the wild, prompting the US Cybersecurity & Infrastructure Security Agency (CISA) to advise patching of the ‘elevation of privileges’ issue for Aug. 2.
This recommendation is directed at US Federal agencies & concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high (7.8) & exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (& earlier versions dating back to 7) & also Windows Server 2022 (& earlier versions 2008, 2012, 2016 & 2019) to attack.
The CSRSS bug is an ‘elevation of privileges’ vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user.
When the bug was 1st reported by Microsoft’s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. The patch was made available on Tues. July 5.
Researchers at FortiGuard Labs, a division of Fortinet, stated the threat the bug poses to business is “medium”. In a bulletin, researchers explain the downgraded rating because an adversary needs advanced “local” or physical access to the targeted system to exploit the bug & a patch is available.
So, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.
“Although there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement & escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,” FortiGuard Labs wrote.
Office & Adobe Documents Entry Points
While the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a report by The Record.
“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” wrote Trend Micro’s Zero Day Initiative (ZDI) in its Patch Tues. roundup last week.
“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default,” wrote ZDI author Dustin Childs.
Microsoft recently outlined that it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.
CISA added the Microsoft bug to its running list of known exploited vulnerabilities on July 7 (search “CVE-2022-22047” to find the entry) & recommends simply, “apply updates per vendor instructions”.