page = krebs on security – in-depth security news and …
url = https://krebsonsecurity.com
Microsoft on Tuesday released software updates to plug at least 70 security holes in its Windows operating systems and related software. For the second month running, there are no scary zero-day threats looming for Windows users, and relatively few “critical” fixes. And yet we know from experience that attackers are already trying to work out how to turn these patches into a roadmap for exploiting the flaws they fix. Here’s a look at the security weaknesses Microsoft says are most likely to be targeted first.
Greg Wiseman , product manager at Rapid7 , notes that three vulnerabilities fixed this month have been previously disclosed, potentially giving attackers a head start in working out how to exploit them. Those include remote code execution bugs CVE-2022-24512 , affecting .NET and Visual Studio , and CVE-2022-21990 , affecting Remote Desktop Client . CVE-2022-24459 is a vulnerability in the Windows Fax and Scan service. All three publicly disclosed vulnerabilities are rated “ Important ” by Microsoft.
Just three of the fixes this month earned Microsoft’s most-dire “ Critical ” rating, which Redmond assigns to bugs that can be exploited to remotely compromise a Windows PC with little to no help from users. Two of those critical flaws involve Windows video codecs. Perhaps the most concerning critical bug quashed this month is CVE-2022-23277 , a  remote code execution flaw affecting Microsoft Exchange Server .
“Thankfully, this is a post-authentication vulnerability, meaning attackers need credentials to exploit it,” Wiseman said. “Although passwords can be obtained via phishing and other means, this one shouldn’t be as rampantly exploited as the deluge of Exchange vulnerabilities we saw throughout 2021 . Exchange administrators should still patch as soon as reasonably possible.”
CVE-2022-24508 is a remote code execution bug affecting Windows SMBv3 , the technology that handles file sharing in Windows environments.
“This has potential for widespread exploitation, assuming an attacker can put together a suitable exploit,” Wiseman said. “Luckily, like this month’s Exchange vulnerabilities, this, too, requires authentication.” Continue reading →