Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that’s under active attack in the wild.
每月第一个星期二微软定期发布了安全补丁,以解决跨越多个产品类别的84 个安全漏洞,其中包括一个在野攻击的零日漏洞。
Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.
84个漏洞中,有 4 项被评为“严重”,80项被评为“高危”。这家科技巨头还单独解决了基于 Chromium 的 Edge 浏览器中的另外两个漏洞,其中一个属于零日漏洞,谷歌披露目前该漏洞已被积极利用。
Top of the list of this month’s updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.
本月更新列表中排在首位的是CVE-2022-22047(CVSS 评分:7.8),这是 Windows 客户端服务器运行时子系统 ( CSRSS ) 中的一个权限提升漏洞,攻击者可能会滥用该漏洞来获取系统权限。
“With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,” Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. “With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”
“通过这种级别的访问,攻击者能够禁用本地服务,例如终端检测和安全软件”Immersive Labs 络威胁研究主管 Kev Breen 告诉黑客新闻。“通过 SYSTEM 访问权限,他们还可以部署 Mimikatz 等工具,这些工具可用于恢复更多管理员和域级别帐户,从而快速传播危害。”
Very little is known about the nature and scale of the attacks other than an “Exploitation Detected” assessment from Microsoft. The company’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.
除了微软的“漏洞检测”评估外,我们对攻击的性质和规模知之甚少。微软公司的威胁情 中心 (MSTIC) 和安全响应中心 (MSRC) 告了该漏洞。
Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.
除了 CVE-2022-22047之外,在同一组件中还修复了另外两个特权提升漏洞——CVE-2022-22026(CVSS 得分:8.8)和CVE-2022-22049(CVSS 得分:7.8)——由Google Project Zero研究员谢尔盖·格拉祖诺夫发现。
“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.
“经过本地身份验证的攻击者可以将特制数据发送到本地 CSRSS 服务,以将他们的权限从AppContainer提升到 SYSTEM,”微软在 CVE-2022-22026 的公告中表示。
“Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”
“因为 AppContainer 环境被认为是一个可防御的安全边界,所以任何能够绕过边界的进程都被认为是 Scope 的变化。然后攻击者可以以比 AppContainer 执行环境更高的完整性级别执行代码或访问资源。”
Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).
微软还修复了 Windows 络文件系统 ( CVE-2022-22029和CVE-2022-22039 )、Windows 图形系统 ( CVE-2022-30221 )、远程过程调用运行系统 ( CVE-2022- 22038 ) 和 Windows Shell ( CVE-2022-30222 )。
The update further stands out for patching as many as 32 issues in the Azure Site Recovery business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.
该更新凸显出Azure Site Recovery业务连续性服务中多达 32 个问题的修补程序。其中两个缺陷与远程代码执行有关,其余 30 个与特权升级有关。
“Successful exploitation […] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,” the company said, adding the flaws do not “allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.”
该公司表示:“成功利用 […] 需要攻击者破坏与配置服务器关联的其中一个虚拟机的管理员凭据”,并补充说这些漏洞“不会泄露任何机密信息,但允许攻击者修改数据并可能导致服务不可用。”
On top of that, Microsoft’s July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.
最重要的是,微软 7 月的更新还包含对 Windows Print Spooler 模块中的四个权限提升漏洞的修复(CVE-2022-22022、CVE-2022-22041、CVE-2022-30206和CVE-2022-30226)。2022 年6月的临时措施,强调了困扰这项技术的无尽缺陷。
Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).
周二更新中有两个值得注意的修复,用于篡改 Windows Server 服务漏洞 ( CVE-2022-30216 ) 和 Microsoft Defender for Endpoin漏洞 ( CVE-2022-33637 ) 以及 Internet 中的三个拒绝服务 (DoS) 漏洞,信息服务( CVE-2022-22025和CVE-2022-22040 ) 和安全帐户管理器 ( CVE-2022-30208 )。
Software Patches from Other Vendors
来自其他供应商的软件补丁
In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —
除了微软,自本月初以来,其他供应商也发布了安全更新,以修复多个漏洞,包括——
五色令人目盲,五音令人耳聋,五味令人口爽,弛骋田猎令人心发狂,难得之货令人行妨。
——《道德经.第十二章》
https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!