Security News > 2022 > April > Microsoft's huge Patch Tuesday includes fix for bug under attack

Microsoft's massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed.

While its severity score didn't rank as high as some on today's list - it received a 7.8 CVSS score aka "Important" - Microsoft stated its attack complexity low.

Though CVE-2022-24521 has been exploited, its exploit code is not public, according to Microsoft.

This flaw, which occurs in Windows User Profile Service, received a CVSS severity score of 7.0, aka important, and Microsoft ranked its attack complexity as high because "Successful exploitation of this vulnerability requires an attacker to win a race condition." That might explain why no one's exploited it yet.

The most severe bug of the bunch is a high-severity flaw in Framework that could allow an attacker to escalate privilege with no additional execution privileges needed, according to the security advisory.

Since the Java RCE vuln was first discovered last month, it's been a race between defenders, trying to patch buggy products, and attackers attempting to exploit holes in said products and unleash all types of malware.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/13/microsoft_patch_tuesday/