{"id":19581,"date":"2022-07-12T21:20:58","date_gmt":"2022-07-13T05:20:58","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/07\/12\/news-13314\/"},"modified":"2022-07-12T21:20:58","modified_gmt":"2022-07-13T05:20:58","slug":"news-13314","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/07\/12\/news-13314\/","title":{"rendered":"July Patch Tuesday is Rich in Azure, Windows Issues"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Wed, 13 Jul 2022 03:20:43 +0000<\/strong><\/p>\n

\n

Microsoft on Tuesday released patches for 85 vulnerabilities in six Microsoft product families. All but six of those are rated Important in severity, and once again the majority (47) affect Windows. Azure makes up the lion\u2019s share of the remainder with 34 patches in queue, with Edge, Office, Defender, and Xbox Live each receiving one update apiece. Three of the included Important-severity information-disclosure patches actually hail from third parties \u2013 two from AMD, one from HackerOne. One Important-class Elevation of Privilege issue, affecting Windows, is currently under active exploit in the wild.<\/span> One advisory, with connections to Redmond’s long-awaited Windows Autopatch function,\u00a0 is also included in this month’s collection.<\/span><\/p>\n

There are only four Critical-class vulnerabilities this month, all for Windows, all listed as less likely to be exploited. The sole issue identified as actually under exploit, CVE-2022-22047, affects Client\/Server Runtime Subsystem Service (CSRSS); it\u2019s described as an Important-class Elevation of Privilege issue of potentially low attack complexity, requiring low privileges and no user interaction, and affecting both client and server installations. As such, administrators should consider this issue to be worth addressing sooner rather than later.<\/span>\u00a0<\/span><\/p>\n

The two AMD-originated patches are both connected to the chip manufacturer’s own AMD-SB-1037<\/a> bulletin, also issued Tuesday. That bulletin addresses Retbleed<\/a>, a speculative execution attack affecting certain AMD and Intel processors. Retbleed is in turn a variation on a Spectre microarchitectural timing side-channel attack. Retbleed exploits a security defense called retponline, which was developed to counter Spectre-type attacks, but which has been known to be potentially vulnerable to this sort of attack for years. (Intel, also vulnerable, is releasing<\/a> advisory information this week as well. Microsoft’s patches today do not include that information.)<\/p>\n

Aside from the sheer volume of Azure patches, a few issues addressed in July stand out just because Black Hat is on the horizon. Among various researchers regularly reporting issues to Microsoft, Devcore\u2019s Cheng-Da \u201cOrange\u201d Tsai, who earlier this year disclosed the series of Exchange vulnerabilities that became ProxyLogon, is credited with three Important-severity IIS finds in this month\u2019s patch collection. He\u2019ll be speaking on destabilizing IIS\u2019 hash table at next month\u2019s conference.<\/span>\u00a0<\/span><\/p>\n

By the Numbers<\/strong><\/p>\n