Head Nerds
Administración de parches
Seguridad

April 2022 Patch Tuesday: Are You Ready for Windows Autopatch?

April’s Patch Tuesday brings a significant increase in the number of vulnerabilities being addressed right on the heels of Microsoft’s announcement of Windows Autopatch. With 119 vulnerabilities receiving fixes, one under active exploitation, and 10 as exploitation more likely, teams responsible for patching may need a little more bandwidth this month than last to get patching done in an acceptable timeframe based on the risk profile of their environments. CVE-2022-24521 should be on the top of everyone’s prioritization list as the vulnerability under active exploitation.

We’ll talk about Microsoft’s Windows Autopatch a little further down, so don’t skip that section even if you don’t think you’ll be using it as there are some great takeaways from how it’s planned to be implemented that you can take advantage of in your own patch management workflows.

Microsoft Vulnerabilities

The small break we’ve received over the last few months with lower numbers of Microsoft vulnerabilities requiring patches appears to be over. 119 vulnerabilities in all, with one of them being actively exploited, and 10 critical. Plenty to keep you and your team occupied.

The big vulnerability of note is CVE-2022-24521 which is the zero-day under active exploitation. It is marked as Attack Complexity: Low, Privileges Required: Low, User Interaction: None, and on top of all that, it was reported by the NSA and Crowdstrike. All it’s missing is a flashing neon sign. Make sure this one finds a spot on the top of your priority list.

It’s also ‘third time’s a charm” for CVE-2022-26904 receiving another fix this month after bypasses were discovered for the original two fixes. While complexity of attack is high for this vulnerability it is still labeled as Exploitation More Likely.

Related Product

N‑sight RMM

Comience a trabajar con rapidez con un RMM diseñado para departamentos de TI y MSP pequeños.

Microsoft Patch Tuesday Vulnerability Prioritization

It is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood. Vulnerabilities marked as Exploitation More Likely are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.

CVE

Description

Exploitability

Severity

CVE-2022-24521

Windows Common Log File System Driver Elevation of Privilege

Exploitation Detected

Important

CVE-2022-26809

Remote Procedure Call Runtime Remote Code Execution

Exploitation More Likely

Critical

CVE-2022-24547

Windows Digital Media Receiver Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24546

Windows DWM Core Library Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24542

Windows Win32k Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24491

Windows Network File System Remote Code Execution

Exploitation More Likely

Critical

CVE-2022-24481

Windows Common Log File System Driver Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-26914

Win32k Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-26904

Windows User Profile Service Elevation of Privilege

Exploitation More Likely

Important

CVE-2022-24474

Windows Win32k Elevation of Privilege

Exploitation More Likely

Important

CVE-2020-8927

Brotli Library Buffer Overflow

Exploitation More Likely

Important

CVE-2022-23259

Microsoft Dynamics 365 (on-premises) RCE

Exploitation Less Likely

Critical

CVE-2022-22008

Windows Hyper-V RCE

Exploitation Less Likely

Critical

CVE-2022-24537

Windows Hyper-V RCE

Exploitation Less Likely

Critical

CVE-2022-23257

Windows Hyper-V RCE

Exploitation Less Likely

Critical

CVE-2022-24497

Windows Network File System RCE

Exploitation Less Likely

Critical

CVE-2022-24528

Remote Procedure Call Runtime RCE

Exploitation Less Likely

Critical

CVE-2022-24541

Windows Server Service RCE

Exploitation Less Likely

Critical

CVE-2022-24500

Windows SMB RCE

Exploitation Less Likely

Critical

CVE-2022-26919

Windows LDAP Remote Code Execution

Exploitation Less Likely

Critical

Cumulative Updates

Windows 10 KB5012599, KB5012591, and Windows 11 KB5012592 are our cumulative updates of note this month but there’s not much to note. They include the expected security updates from previous months and some feature improvements with KB5012592 getting 26 total improvements like better toast notification UX and easier default browser selection.

Related Product

N‑central

Gestione redes de gran tamaño o ajuste la escala de las operaciones de TI con un RMM diseñado para proveedores de servicios en crecimiento.

Windows Autopatch

Microsoft is introducing a new feature to offload Windows and Microsoft 365 App updates to them as a service. This functionality is going to feel familiar to any MSP who has ever used a Patch Management solution. While many may just brush this off as Windows Autoupdate with a schedule and a price tag, it’s worth understanding how it works and more importantly what your client perception of it may be if they hear about it and have questions.

Many MSP clients will not be able to take advantage of Microsoft’s Windows Autopatch since it requires Windows 10 or Windows 11 Enterprise E3 license or above. There is value, though, in taking a look at its deployment and testing rings and copying that philosophy into your own patch management processes if you don’t already have lab vs production testing workflows in place.  Check out the Microsoft article about Windows Autopatch and their FAQ to learn more.

Summary

Make sure you have the basics covered. Even with all the new cybersecurity concerns you and your clients are facing, there isn’t anything you should be doing tomorrow that you shouldn’t have already been doing yesterday. Following the NIST Cybersecurity Framework, CIS 18 Controls, or other collection of recognized security controls to help guide you.

As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.

Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.

N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.