Microsoft Patch Tuesday: July 2022

Microsoft’s July Patch Tuesday has arrived. This month’s batch of security updates contains fixes for 84 total vulnerabilities, including four criticals and one actively exploited zero-day. There are some key flaws addressed in this rollout, such as privilege escalation, remote code execution and security feature bypasses; we recommend looking into the advisories provided by Microsoft and applying the latest updates as soon as possible.

July’s instalment includes patches for some key software such as:

  • Azure Storage Library
  • Microsoft Defender for Endpoint
  • Microsoft Edge
  • Microsoft Office
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Skype for Business
  • Windows Active Directory
  • Windows BitLocker
  • Windows Kernel
  • Windows Shell
  • XBox

CVE-2022-22038: Windows Remote Procedure Call Runtime Remote Code Execution Vulnerability

This critical vulnerability exists in the Windows Remote Procedure Call Runtime and could allow a remote attacker to execute arbitrary code on the target system. The CVSS metric states that complexity for this attack is high, meaning the threat actor would need to “invest time in repeated exploitation” in order to succeed.

CVE-2022-30221: Microsoft Graphics Component Remote Code Execution Vulnerability

This is another critical remote code execution vulnerability that resides in the Windows Graphics Component. To exploit this vulnerability, the target user is required to connect to a malicious RDP server where code could be executed in the context of the user. Unlike the previous flaw, attack complexity for this vulnerability is low and can be successfully exploited much easier.

CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability

CVE-2022-22039: Windows Network File System Remote Code Execution Vulnerability

The final two critical vulnerabilities both exist in Windows Network File System, and allow an attacker to remotely execute code on the target system. Exploitation for both flaws requires an unauthenticated specially crafted call to an NFS service. Attack complexity for both flaws is high, with CVE-2022-22039 requiring the attacker to win a race condition.

For a full list of this month’s updates please see the links below:

Patch Tuesday release notes:

Security update guide:

Ironshare – Security Simplified