- Patch Tuesday fixes the critical vulnerability, flagged as CVE-2022-22047 which exists in the Client/Server Runtime Subsystem.
- 84 vulnerabilities were addressed and 4 of them carry the highest “critical” severity rating. The remaining bugs are rated “important” in severity.
- The latest update patches 32 flaws in the Azure Site Recovery business continuity service. It is recommended for users to apply the patch as soon as possible.
Microsoft released the Patch Tuesday updates to fix at least 84 security vulnerabilities. Of these, 4 are critical which is none previously disclosed, and one is already being exploited according to Microsoft. Apart from those, the giant tech company resolved two other bugs in the Chromium-based Edge browser, one of which is another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.
Microsoft July 2022 Patch Tuesday
The most important fix for this month is flagged as CVE-2022-22047 which exists in the Client/Server Runtime Subsystem (csrss.exe) and carries a CVSS severity rating of 7.8. It is the severity of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be exploited by an attacker to gain system permissions. The software giant did not provide any additional details of the live attacks outside of notification only describing exploitability as ”Exploitation Detected”.
Also, two other bugs have been fixed in the same patch, CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8). These bugs were reported by Google Project Zero researcher Sergei Glazunov. Microsoft said in the advisory for CVE-2022-22026 ;
« A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM. Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment. »
The latest Tuesday patch added several remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), and Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).
The latest update also patches 32 flaws in the Azure Site Recovery business continuity service helping to ensure business continuity by keeping business apps and workloads running during outages. Two of the flaws are related to remote code execution and the remaining 30 are for privilege escalation.