The Cybersecurity and Infrastructure Security Agency has ordered all federal civilian agencies to patch a Windows vulnerability by August 2 after Microsoft said it detected the bug exploit.
The issue – labeled CVE-2022-22047 – carries a vulnerability score (CVSS) of 7.8 and affects the Windows Client Server Runtime Subsystem (CSRSS) found in Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019 and 2022.
Day zero was among 84 bugs included in Microsoft’s Patch Tuesday release for July.
When asked to comment on more information about the exploit of the vulnerability, Microsoft told The Record that it “didn’t have anything more to add.”
Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, said that while there are reports of exploits, a proof of concept has yet to be released.
Canonic Security’s Alon Rosenblum added that an exploit for the bug would only work if the attacker already had the means to run code as an unprivileged user.
“Elevation of privilege vulnerabilities are particularly dangerous because many attack scenarios rely on them as leverage to move from the initial infiltration phase to the lateral movement phase by acquiring credentials and access to locations of the network,” Rosenblum explained.
Elevation of privilege flaws are valuable for attackers who have previously gained access to a vulnerable system and have privileges limited by other means, including social engineering or exploiting a separate vulnerability, a said Satnam Narang, research engineer at Tenable, to The Record.
“They could potentially gain administrative privileges by running a specially crafted application that exploits this flaw,” Narang said.
CISA added the bug to its list of known exploited vulnerabilities this week after Microsoft made the issue public.
Dustin Childs of Trend Micro’s Zero Day Initiative said this “allows an attacker to execute code as SYSTEM, provided they can execute other code on the target.”
“Bugs of this type are usually associated with a bug executing code, usually a specially crafted Office or Adobe document, to take control of a system,” Childs said, noting that it was an example of the which is why so many security experts were appalled by Microsoft’s recent decision. decision to roll back a common change that blocked Visual Basic for Applications (VBA) macros by default in various Office applications.
Microsoft said its decision would be “temporary” but did not provide a timeline for when it will be restored.
“These attacks often rely on macros, which is why so many people were disheartened to hear of Microsoft’s delay in blocking all Office macros by default,” Childs said.