Microsoft Patch Tuesday Fixes 128 Vulnerabilities, including NSA-Reported High-Severity Zero-Day

Microsoft’s April 2022 Patch Tuesday security updates address no less than 128 vulnerabilities, including 10 rated as critical, 115 as important, and three flagged as moderately severe.

One of the vulnerabilities addressed by this month’s Microsoft security updates, tracked as CVE-2022-24521, is an actively exploited Windows Common Log File System Driver Elevation of Privilege bug and has a CVSS score of 7.8.NSA reported this vulnerability after presumably spotting APT groups exploiting it in various attacks.

Another issue fixed by this Patch Tuesday is a Windows User Profile Service Elevation of Privilege flaw, tracked as CVE-2022-26904, with a CVSS score of 7 and listed as publicly known. Currently, this flaw is reserved, meaning that additional details may be published later.

An RPC Runtime Library Remote Code Execution vulnerability is among the most critical flaws that this month’s security update rollout from Microsoft addresses. This high-severity flaw has a CVSS score of 9.8, is tracked as CVE-2022-26809, and could let attackers execute code with high privileges on vulnerable systems remotely.

Another two high-severity NFS vulnerabilities with 9.8 CVSS scores, tracked as CVE-2022-24491and CVE-2022-24497, could allow attackers to execute code remotely, without high privileges or user interaction, on systems where the NFS role is enabled.

The Patch Tuesday security updates for April 2022 address vulnerabilities in several products, namely:

• Microsoft Windows
• Windows Components
• Microsoft Defender
• Defender for Endpoint
• Exchange Server
• SharePoint Server
• DNS Server
• Windows Hyper-V
• Microsoft Edge
• Microsoft Dynamics
• Skype for Business
• Microsoft Office
• Windows App Store
• Office Components
• .NET and Visual Studio
• Windows Print Spooler Components

Given the severity of these vulnerabilities, users should prioritize applying the security patches.