Microsoft has patched a large number of security vulnerabilities this week, as part of its monthly “Patch Tuesday.” The 145 vulnerabilities, now constant, were dominated by privilege escalation and remote code execution (RCE) flaws, a complete of 55 and 47 respectively. Denial of service, information disclosure, and phishing rulings accounted for most of the remainder.
The three vulnerabilities rated 9.8 are remote code execution (RCE) flaws that require a low degree of attack complexity to be exploited, two of which are likely to become worms, according to the Zero Day Initiative (ZDI) .
The first of the two wormables is CVE-2022-26809, a flaw that could allow an attacker to execute arbitrary code on a machine with high privileges. The static port used in this exploit (TCP port 135) is often blocked at the network perimeter, according to ZDI, but it is still a very dangerous vulnerability that should be patched quickly.
The moment worm-like attack can be exploited through a combination of two vulnerabilities that achieve a critical rating. Both affect Windows Network File System (NFS) and are tracked as CVE-2022-24491 and CVE-2022-24497.
“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Once again, this adds up to a wormable bug – at least between NFS servers. Like RPC, this is often blocked at the network perimeter. Microsoft provides guidance on how the RPC port multiplexer (port 2049) “is firewall-friendly and simplifies NFS deployment,” ZDI says, urging IT administrators to check installations and install patches as soon as possible.
As with all security vulnerabilities, and especially zero-day exploits, companies are urged to apply patches as soon as possible to avoid cyber-attacks and potential data loss. Now that these vulnerabilities are published and patched, potential attackers can analyze the exploitation methodology and use it to their virtue.
Full details of this week’s round of patches can be found in the list published by Microsoft.