Last updated at Tue, 12 Jul 2022 19:40:15 GMT

Microsoft’s updates for July's Patch Tuesday fix 86 CVEs, including two vulnerabilities in their Chromium-based Edge browser that were patched earlier in the month.

One 0-day vulnerability has been patched: CVE-2022-22047 affects all currently supported versions of Microsoft’s pervasive operating system. This is an elevation-of-privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), a critical service that is often impersonated by malware. An attacker with an already-existing foothold can exploit this vulnerability to gain SYSTEM-level privileges. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft’s investigation into the in-the-wild exploitation of CVE-2022-22047.

Four critical remote code execution (RCE) vulnerabilities were fixed today. CVE-2022-22029 and CVE-2022-22039 affect network file system (NFS) servers, and CVE-2022-22038 affects the remote procedure call (RPC) runtime. Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later. CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.

Over a third of today’s vulnerabilities (a whopping 32 CVEs) affect their Azure Site Recovery offering. Anyone making use of this VMWare-to-Azure backup solution should be sure to upgrade to version 9.49 of the Microsoft Azure Site Recovery Unified Setup, available in Update rollup 62.

Summary charts

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33676 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33678 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33674 Azure Site Recovery Elevation of Privilege Vulnerability No No 8.3 Yes
CVE-2022-33675 Azure Site Recovery Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33677 Azure Site Recovery Elevation of Privilege Vulnerability No No 7.2 Yes
CVE-2022-30181 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33641 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33643 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33655 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33656 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33657 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33661 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33662 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33663 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33665 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33666 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33667 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33672 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33673 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-33642 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33650 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33651 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33653 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33654 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33659 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33660 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33664 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33668 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33669 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33671 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-33652 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes
CVE-2022-33658 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes

Azure Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30187 Azure Storage Library Information Disclosure Vulnerability No No 4.7 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-2295 Chromium: CVE-2022-2295 Type Confusion in V8 No No N/A Yes
CVE-2022-2294 Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC No No N/A Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33633 Skype for Business and Lync Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33632 Microsoft Office Security Feature Bypass Vulnerability No No 4.7 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33637 Microsoft Defender for Endpoint Tampering Vulnerability No No 6.5 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33644 Xbox Live Save Service Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22045 Windows.Devices.Picker.dll Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30222 Windows Shell Remote Code Execution Vulnerability No No 8.4 Yes
CVE-2022-30216 Windows Server Service Tampering Vulnerability No No 8.8 Yes
CVE-2022-22041 Windows Print Spooler Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2022-30214 Windows DNS Server Remote Code Execution Vulnerability No No 6.6 Yes
CVE-2022-22031 Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30212 Windows Connected Devices Platform Service Information Disclosure Vulnerability No No 4.7 Yes
CVE-2022-22711 Windows BitLocker Information Disclosure Vulnerability No No 6.7 Yes
CVE-2022-22038 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-27776 HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data No No N/A Yes
CVE-2022-30215 Active Directory Federation Services Elevation of Privilege Vulnerability No No 7.5 Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30208 Windows Security Account Manager (SAM) Denial of Service Vulnerability No No 6.5 No
CVE-2022-30206 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30226 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22022 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-22023 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability No No 6.6 Yes
CVE-2022-22029 Windows Network File System Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-22039 Windows Network File System Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-22028 Windows Network File System Information Disclosure Vulnerability No No 5.9 Yes
CVE-2022-30225 Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-30211 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-21845 Windows Kernel Information Disclosure Vulnerability No No 4.7 Yes
CVE-2022-22025 Windows Internet Information Services Cachuri Module Denial of Service Vulnerability No No 7.5 No
CVE-2022-30209 Windows IIS Server Elevation of Privilege Vulnerability No No 7.4 Yes
CVE-2022-22042 Windows Hyper-V Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-30223 Windows Hyper-V Information Disclosure Vulnerability No No 5.7 Yes
CVE-2022-30205 Windows Group Policy Elevation of Privilege Vulnerability No No 6.6 Yes
CVE-2022-30221 Windows Graphics Component Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-22034 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30213 Windows GDI+ Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-22024 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22027 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-22050 Windows Fax Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-22043 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30220 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-22026 Windows CSRSS Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-22047 Windows CSRSS Elevation of Privilege Vulnerability Yes No 7.8 Yes
CVE-2022-22049 Windows CSRSS Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30203 Windows Boot Manager Security Feature Bypass Vulnerability No No 7.4 Yes
CVE-2022-22037 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-30202 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-30224 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22036 Performance Counters for Windows Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-22040 Internet Information Services Dynamic Compression Module Denial of Service Vulnerability No No 7.3 Yes
CVE-2022-22048 BitLocker Security Feature Bypass Vulnerability No No 6.1 Yes
CVE-2022-23825 AMD: CVE-2022-23825 AMD CPU Branch Type Confusion No No N/A Yes
CVE-2022-23816 AMD: CVE-2022-23816 AMD CPU Branch Type Confusion No No N/A Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.