Microsoft’s Patch Tuesday this month addresses 74 security flaws, including seven high-risk vulnerabilities, 66 important ones, and one flagged as low severity.
Security experts noticed at least one of the patched flaws was under active attack using public exploit codes. Two other vulnerabilities are listed as having public exploit code, but no reports suggest active attacks against them.
The actively exploited vulnerability is a Windows LSA (Local Security Authority) spoofing flaw that could let unauthenticated attackers “coerce the domain controller to authenticate to the attacker using NTLM,” according to Microsoft.
The LSA flaw, tracked as CVE-2022-26925, has a CVSS severity score of 8.3. However, “the combined CVSS score would be 9.8 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS),” Microsoft says.
This month’s Patch Tuesday rollout can help users fend off this attack by detecting anonymous LSARPC connection attempts and disallowing them. System and network administrators are also advised to review the KB5005413 documentation that can help them take further steps to protect networks against NTLM Relay Attacks.
One of the bugs listed with public exploit code is a vulnerability in Azure Synapse and Azure Data Factory pipelines tracked as CVE-2022-29972. Threat actors could leverage this flaw to “perform remote command execution across IR infrastructure not limited to a single tenant.”
The other publicly disclosed exploit code vulnerability is a Windows Hyper-V denial-of-service vulnerability tracked as CVE-2022-22713. However, researchers believe this bug is less likely to be exploited as it requires attackers to “win a race condition.”
To prevent attackers from exploiting these vulnerabilities and others, users should prioritize applying Microsoft’s monthly update rollout. The updates should be installed automatically on most systems, but you can also perform a manual Windows Update check and apply any recommended patches.