Two zero-day vulnerabilities – one of which has already been disclosed and supposedly patched twice – are part of a total of 119 flaws fixed by Microsoft in its April 2022 Patch Tuesday update, alongside more of 20 Chromium vulnerabilities in the Edge browser.
The vulnerabilities in question are CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System driver, which is exploited but not public; and CVE-2022-26904, an elevation of privilege vulnerability in Windows User Profile Service, which is public but not exploited. Both vulnerabilities carry CVSS scores between seven and eight, classified as important.
As noted above, CVE-2022-26904 is of particular interest this month because it was supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later found a workaround, and then when that was fixed again in January, he went around it a second time. It is known to be tricky to exploit as it requires a malicious actor to time their attack perfectly to gain what is known as a “race condition”.
Of the other vulnerabilities, 10 are rated as critical, 115 important, and three moderate, making the April update the largest seen so far in 2022. You can find more details about some of the other most important vulnerabilities. impactful this month here.
While far-reaching, April’s drop may ultimately prove more notable for being one of Microsoft’s latest Patch Tuesday updates — at least in its current form. Earlier in April, Redmond announced plans to roll out a new service called Windows Autopatch as a feature of Windows Enterprise E3 licenses, covering Windows 10, 11 and Windows 365. It will be available in July 2022.
“This service will automatically keep Windows and Office software up to date on enrolled devices at no additional cost. IT administrators can save time and resources to generate value. The second Tuesday of every month will be ‘just another Tuesday’,” Microsoft’s Lior Bela said.
Bela said the development of the service was driven by the growing complexity of corporate IT environments, which has dramatically increased the number of potential vulnerabilities to be patched, leading to security breaches when patches are not applied in a timely manner.
“Autopatch, by automating update management, can provide rapid response to changes and confidence around introducing new changes, and close gaps in protection and productivity,” Bela said.
“The value should be felt immediately by IT administrators who won’t have to plan for deployment and sequencing of updates, and in the long term, as the increased bandwidth frees them up to focus on value creation Quality updates should improve device performance and reduce support tickets Feature updates should provide users with an optimal user experience, with increased availability and new tools to build and collaborate.
At its core, the service will rely on a gradual rollout of patches through a series of so-called rings. Going forward, the patching process will start with a small core of devices used for testing and validation purposes before spreading more widely to the rest of the company, with additional features called Halt, Rollback and Selectivity which will come into play if something breaks.
Microsoft believes this will help improve the Autopatch service and reassure end-user security teams.
“Keeping software up to date is one of the most effective preventative measures an organization can take. Cyberattacks aren’t magic, and by patching systems quickly, organizations can reduce the available attack surface,” said Tim Erlin, vice president of strategy at Tripwire.
“Microsoft has long supported automatic updates, but this basic capability has never solved the myriad of potential large-scale patching issues. Autopatch aims to implement a more robust process for delivering updates, including staged testing and deployments.
“For organizations that were already using automatic updates, Autopatch should make their life easier. And for organizations that weren’t applying updates automatically, Autopatch should allow them to do so.
More information about the Windows Autopatch service is available in an FAQ compiled by Microsoft.