<div dir="ltr"><br clear="all"><div><a href="https://www.infosecurity-magazine.com/news/april-records-first-patch-tuesday/">https://www.infosecurity-magazine.com/news/april-records-first-patch-tuesday/</a><br></div><div><br></div><div><span id="gmail-docs-internal-guid-5c30ecd5-7fff-2412-3bdf-b4622cdd11c3"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Sysadmins will have a busy time ahead after Microsoft published fixes for over 100 CVEs this month, including two zero-day bugs.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">April’s Patch Tuesday saw patches released for 119 vulnerabilities in total.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The two publicly disclosed prior to Tuesday were CVE-2022-24521, a bug in the Windows Common Log File System Driver (CLFS) reported by the NSA. Already exploited in the wild, the vulnerability has a CVSS score of 7.8 and could allow privilege escalation.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The CLFS has previous when it comes to vulnerabilities, according to Tyler Reguly, manager of security R&D at Tripwire.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“CLFS is a general purpose logging service that can be used by both user and kernel-mode software,” he explained.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“Patches have been released for CLFS monthly since September 2021 with only one exception – November 2021. From September 2021 until today, we have seen 18 vulnerabilities patched within CLFS.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Also publicly disclosed was CVE-2022-26904, a bug in Windows User Profile Service that could lead to the elevation of privilege if successfully exploited.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“Microsoft has listed the attack complexity as high given that it relies on a race condition, however exploit code is already publicly available, including in the Metasploit framework,” said Reguly.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Elsewhere, Windows Network File System (NFS) remote code execution (RCE) vulnerabilities CVE-2022-24491 and CVE-2022-24497 are worth addressing, according to Kev Breen, director of cyber threat research at Immersive Labs.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices,” he explained.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Microsoft also released patches for an additional 26 CVEs in its Edge browser.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This will be one of the last Patch Tuesday update rounds for many customers after Microsoft last week announced “Autopatch,” a new managed service designed to streamline the product update process for Windows 10/11 Enterprise E3 users.</span></p><br></span></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"></div></span></div></div></div>