A Windows 11 vulnerability, part of Microsoft’s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.
The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
The CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft’s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on Tuesday July 5.
Researchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is “medium”. In a bulletin, researchers explain the downgraded rating because an adversary needs advanced “local” or physical access to the targeted system to exploit the bug and a patch is available.
That said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.
“Although there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,” FortiGuard Labs wrote.
Office and Adobe Documents Entry Points
While the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a report by The Record.
“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” wrote Trend Micro’s Zero Day Initiative (ZDI) in its Patch Tuesday roundup last week.
“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default,” wrote ZDI author Dustin Childs.
Microsoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.
CISA added the Microsoft bug to its running list of known exploited vulnerabilities on July 7 (search “CVE-2022-22047” to find the entry) and recommends simply, “apply updates per vendor instructions”.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]