1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft just patched a whole load of new security flaws, so upd

    From TechnologyDaily@1337:1/100 to All on Wed May 11 14:15:04 2022
    Microsoft just patched a whole load of new security flaws, so update now

    Date:
    Wed, 11 May 2022 13:05:43 +0000

    Description:
    One of the vulnerabilities was being actively exploited in the wild,
    Microsoft said.

    FULL STORY ======================================================================

    This months Patch Tuesday has seen Microsoft unveil fixes to dozens of vulnerabilities, some of which are critical, and one of which is being actively exploited in the wild.

    The flaws are found in various versions of Windows, .NET and Visual Studio, Office, Exchange Server, BitLocker, Remote Desktop Client, NTFS, and the Microsoft Edge browser.

    The issue being exploited in the wild is tracked as CVE-2022-26925, and is described as a Windows LSA spoofing vulnerability. According to Microsofts security advisory , an authenticated threat actor could abuse the flaw by calling a method on the LSARPC interface and forcing the domain controller to authenticate the attacker using NTLM. It has a severity score of 8.1

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99.

    As for the critical issues, there are five remote code execution (RCE) flaws, and two elevation of privilege (EoP) vulnerabilities. Among these is CVE-2022-26923, a critical flaw that exploits how certificates are issued, by injecting data into a certificate request. That way, the threat actor can get a certificate able to authenticate a domain controller with high privileges. In other words, the threat actor can gain admin privileges on any domain running Active Directory Certificate Services. This one has a severity score of 8.8. Denial of service, spoofing, and more

    The cumulative update also fixes 67 exploits, most of which are RCE and EoP flaws, denial of service flaws, spoofing issues, and defense bypasses.

    Given that the update addresses a couple of high-severity flaws, Windows OS admins are urged to patch their endpoints immediately.

    This is probably going to be one of the last Patch Tuesday cumulative
    updates, as Microsoft is planning on killing the practice altogether. Read more

    Microsoft is ready to kill off Patch Tuesday as we know it


    The latest Microsoft Patch Tuesday release fixes over 100 serious bugs


    This nasty Windows 10 zero-day vulnerability finally has an unofficial fix

    Last month, the company announced that it will strive to update all Windows corporate endpoints automatically, with the new scheme kicking off in July this year.

    The updates will be rolled out in three phases, to minimize the chances of bricking all of the devices found in a corporate network at once. Protect
    your devices from zero-days with the best firewalls around

    Via: ZDNet



    ======================================================================
    Link to news story: https://www.techradar.com/news/microsoft-just-patched-a-whole-load-of-new-secu rity-flaws-so-update-now/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)