Patch Tuesday may be heading to Valhalla this summer, but that doesn’t mean Microsoft will stop plugging holes until it does.
The April 2022 Patch Tuesday has just been released and features over 100 serious bug fixes. A total of 128 vulnerabilities have been fixed, in a number of Microsoft products, including Windows, Defender antivirus tool, Office and many others.
Of all the bugs, 10 were classified as “critical”, while the majority (115) were classified as “important”. Three are ‘moderate’, one ‘publicly known’ and one ‘actively exploited’.
Escalation of privileges
The one being actively exploited is identified as CVE-2022-24521 and is an elevation of privilege vulnerability found in the Windows Common Log File System (CLFS). Discovered by researchers from the National Security Agency (NSA) and cybersecurity firm CrowdStrike, it carries a severity score of 7.8.
The publicly known one is zero-day tracked as CVE-2022-26804. This is also an endpoint privilege escalation flaw, found in the Windows User Profile Service. It carries a gravity rating of 7.0, but requires an attacker to “earn a race condition” in order to exploit it.
Other notable mentions include remote code execution vulnerabilities in RPC Runtime Library, Windows Network File System, Windows Server Service, Windows SMB, and Microsoft Dynamics 365.
The company also patched 18 flaws in Windows DNS Server, including 17 remote execution flaws. Additionally, it fixed 15 holes that allowed privilege escalation in the Windows Print Spooler.
Microsoft has revealed that it will retire Patch Tuesday in the coming months, replacing it with a new Windows Autopatch service that it says will automatically keep all business computers and Office software up to date.
Customers with at least one Windows 10 or Windows 11 Enterprise E3 license will be eligible for the new service, which is expected to go live in July.
Microsoft Autopatch will divide devices into three groups, or “test rings,” to ensure that each process runs smoothly and without issue.