The Microsoft July 2022 Security Updates includes patches and advisories for 84 vulnerabilities, four of those rated Critical severity and one zero-day exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:
- AMD CPU Branch
- Azure Site Recovery
- Azure Storage Library
- Microsoft Defender for Endpoint
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Open Source Software
- Role: DNS Server
- Role: Windows Fax Service
- Role: Windows Hyper-V
- Skype for Business and Microsoft Lync
- Windows Active Directory
- Windows Advanced Local Procedure Call
- Windows BitLocker
- Windows Boot Manager
- Windows Client/Server Runtime Subsystem
- Windows Connected Devices Platform Service
- Windows Credential Guard
- Windows Fast FAT Driver
- Windows Fax and Scan Service
- Windows Group Policy
- Windows IIS
- Windows Kernel
- Windows Media
- Windows Network File System
- Windows Performance Counters
- Windows Point-to-Point Tunneling Protocol
- Windows Portable Device Enumerator Service
- Windows Print Spooler Components
- Windows Remote Procedure Call Runtime
- Windows Security Account Manager
- Windows Server Service
- Windows Shell
- Windows Storage
Microsoft patched one zero-day Windows CSRSS Elevation of Privilege Vulnerability CVE-2022-22047 (CVSS 7.8) that affects multiple Windows server and desktop OS versions.
Microsoft confirmed “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges” and “exploitation was detected.”
Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-22047 to its Known Exploited Vulnerabilities Catalog on July 12, 2022.
Microsoft also addressed four Critical remote code execution (RCE) vulnerabilities:
- CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-22038: Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability (CVSS 7.5)
- CVE-2022-30221: Windows Network File System Remote Code Execution Vulnerability (CVSS 8.8)
The NFS flaw CVE-2022-22029 is not exploitable in NFSV4.1, but does affect NFSV3. Organizations and users can also mitigate an attack by disabling NFSV3, but need to understand this change may affect your ecosystem and should only be used as a temporary mitigation.
As Microsoft noted in each of the advisories, none of the Critical RCEs had known exploits in the wild or were likely to be exploited.
In addition, Microsoft patched 79 other vulnerabilities rated Important in multiple products. Those issues include Denial of Service, Elevation of Privilege, Information Disclosure, RCE, Tampering, and Security Feature Bypass vulnerabilities.