Microsoft’s Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.
Microsoft has released patches for 128 security vulnerabilities for its April 2022 monthly scheduled update – ten of them rated critical (including three wormable code-execution bugs that require no user interaction to exploit).
There are also two important-rated zero-days that allow privilege escalation, including one listed as under active exploit.
The bugs in the update are found across the portfolio, including in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler Components.
The zero-day vulnerabilities resolved in this update are:
- CVE-2022-26904: This known zero-day flaw impacts the Windows User Profile Service and is described as an EoP vulnerability. The bug has been issued a CVSS severity score of 7.0 and its attack complexity is considered ‘high’, as “successful exploitation of this vulnerability requires an attacker to win a race condition,” according to Microsoft.
- CVE-2022-24521: This bug is another EoP issue found in the Windows Common Log File System Driver. Issued a CVSS score of 7.8, Microsoft says that attack complexity is low and the company has detected active exploitation, despite the flaw not being made public until now.
Two other security issues, CVE-2022-26809 and CVE-2022-24491, are also of note. These vulnerabilities, impacting Remote Procedure Call Runtime and the Windows Network File System, have earned CVSS scores of 9.8 and can be exploited to trigger RCE.
The complete list of CVEs released by Microsoft for April 2022 is here.