Security News > 2022 > April > Microsoft's huge Patch Tuesday includes fix for bug under attack
Microsoft's massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed.
While its severity score didn't rank as high as some on today's list - it received a 7.8 CVSS score aka "Important" - Microsoft stated its attack complexity low.
Though CVE-2022-24521 has been exploited, its exploit code is not public, according to Microsoft.
This flaw, which occurs in Windows User Profile Service, received a CVSS severity score of 7.0, aka important, and Microsoft ranked its attack complexity as high because "Successful exploitation of this vulnerability requires an attacker to win a race condition." That might explain why no one's exploited it yet.
The most severe bug of the bunch is a high-severity flaw in Framework that could allow an attacker to escalate privilege with no additional execution privileges needed, according to the security advisory.
Since the Java RCE vuln was first discovered last month, it's been a race between defenders, trying to patch buggy products, and attackers attempting to exploit holes in said products and unleash all types of malware.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/04/13/microsoft_patch_tuesday/
Related news
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- April 2024 Patch Tuesday forecast: New and old from Microsoft (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- March 2024 Patch Tuesday forecast: A popular framework updated (source)
- Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast (source)
- Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (source)
- March Patch Tuesday sees Hyper-V join the guest-host escape club (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-04-15 | CVE-2022-24521 | Improper Input Validation vulnerability in Microsoft products Windows Common Log File System Driver Elevation of Privilege Vulnerability | 7.8 |