Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.

July's security update features three critical vulnerabilities, up from one last month, still lower than Microsoft’s average in a Patch Tuesday. All the other vulnerabilities fixed are considered “important.”

All three critical vulnerabilities allow remote code execution on Microsoft Windows Systems. Of these, Microsoft considers the exploitation of CVE-2022-22029, CVE-2022-22038 and CVE-2022-22039 less likely to occur. CVE-2022-22029 could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS). However, according to Microsoft, it has high attack complexity and would require repeated exploitation attempts through sending constant or intermittent data.

Another critical vulnerability, CVE-2022-22038, is also considered to be more difficult to exploit because it requires undisclosed additional actions by an attacker to prepare the target environment for exploitation.

CVE-2022-22039 iss another remote code execution flaw in Windows Network File System that requires an attacker to win a race condition to exploit it, making this vulnerability less likely to be exploited.

Microsoft Azure Batch Node Agent contains a remote code execution vulnerability: CVE-2022-33646. Microsoft considers this more likely to be exploited. However, the attack vector is identified as Local, which reduces its severity. It is worth mentioning that mitigating this vulnerability requires that a user follows the best practices advised by Microsoft and periodically resizes the azure node pools to zero to force the Agent to be updated to the latest version.

Of the vulnerabilities considered “important” and not critical, CVE-2022-22047 is worth special notice, as it is a local privilege escalation vulnerability reported as being actively exploited in the wild.

Talos would also like to highlight six important vulnerabilities that Microsoft considers to be “more likely” to be exploited:

  • CVE-2022-30202 — Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
  • CVE-2022-30215 — Active Directory Federation Services Elevation of Privilege Vulnerability
  • CVE-2022-30216 — Windows Server Service Tampering Vulnerability
  • CVE-2022-30220 — Windows Common Log File System Driver Elevation of Privilege Vulnerability
  • CVE-2022-22034 — Windows Graphics Component Elevation of Privilege Vulnerability A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are 60191, 60192, 60198, 60199, 60201, 60202, 60206, 60207, 60213 and 60214. Additionally, users can deploy Snort 3 rules 300215 and 300216.