Sysadmins will have a busy time ahead after Microsoft published fixes for over 100 CVEs this month, including two zero-day bugs.
April’s Patch Tuesday saw patches released for 119 vulnerabilities in total.
The two publicly disclosed prior to Tuesday were CVE-2022-24521, a bug in the Windows Common Log File System Driver (CLFS) reported by the NSA. Already exploited in the wild, the vulnerability has a CVSS score of 7.8 and could allow privilege escalation.
The CLFS has previous when it comes to vulnerabilities, according to Tyler Reguly, manager of security R&D at Tripwire.
“CLFS is a general purpose logging service that can be used by both user and kernel-mode software,” he explained.
“Patches have been released for CLFS monthly since September 2021 with only one exception – November 2021. From September 2021 until today, we have seen 18 vulnerabilities patched within CLFS.”
Also publicly disclosed was CVE-2022-26904, a bug in Windows User Profile Service that could lead to the elevation of privilege if successfully exploited.
“Microsoft has listed the attack complexity as high given that it relies on a race condition, however exploit code is already publicly available, including in the Metasploit framework,” said Reguly.
Elsewhere, Windows Network File System (NFS) remote code execution (RCE) vulnerabilities CVE-2022-24491 and CVE-2022-24497 are worth addressing, according to Kev Breen, director of cyber threat research at Immersive Labs.
“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices,” he explained.
Microsoft also released patches for an additional 26 CVEs in its Edge browser.
This will be one of the last Patch Tuesday update rounds for many customers after Microsoft last week announced “Autopatch,” a new managed service designed to streamline the product update process for Windows 10/11 Enterprise E3 users.