Update May 12: This post was originally posted on May 11
The importance of patching your Windows platforms against known vulnerabilities as soon as possible has once again come up against the risk this can introduce. While the Forbes Straight Talking Cyber team always advises consumers to get up to speed as soon as possible, advice to businesses should be more cautious and dependent on their specific risk profile. This was highlighted again as reports of multiple authentication failures after installation May 2022 Patch Tuesday Updateas spotted by beeping computer, are being investigated by Microsoft. This follows Authentication failures related to November Patch Tuesday update which resulted in an out-of-band emergency fix.
The particular issue following the May 2022 Update appears to be authentication failure due to credential mismatch where servers are used as domain controllers and involve mapping certificates to machine accounts. Something that is very unlikely to impact consumers, but will affect businesses using this specific configuration.
A user in a Reddit Patch Tuesday support group found that uninstalling the KB5014001 and KB5014011 updates worked as a short-term fix. Bleeping Computer reports that although an upcoming security release will resolve the issue, Microsoft recommends the manual mapping of certificates to Active Directory machine accounts. It wouldn’t surprise me if we saw a similar, and equally quick, conclusion as we did in November of last year with an out-of-band emergency security release in the next week.
The latest batch of “Patch Tuesday” security patches for Microsoft users has just dropped, and it’s a big one. Of the 75 security issues addressed, eight received a critical severity rating and three zero-day vulnerabilities. Windows 10, 11 and Server users are warned that one of them is exploited in the wild, already attacked in other words.
For a full list of all 75 vulnerabilities, along with their respective severity ratings and affected platforms, see the Microsoft Security Update Guide. However, here is what we know about the one for which attacks are already underway.
CVE-2022-26925
CVE-2022-26925 is the zero-day vulnerability that Microsoft confirms is already being exploited. Perhaps surprisingly, despite being a zero-day exploit, it only gets a major rating from Microsoft if, and this is where things get a little tricky, it’s chained with New Technology LAN Manager (NTLM) relay attacks.
These PetitPotam attacks, as they are called, can be used to attack Windows domain controllers and other servers. If combined, the zero-day severity rating is increased to a criticality of 9.8. Fortunately, this is far from being a simple attack to carry out, although obviously possible as the “actively exploited” label demonstrates. Windows users (Server, 7, 8.1, 10 and 11) should ensure that the update is applied as soon as possible.
What security experts say
Chris Hass, director of security at Automox, says what this Patch Tuesday lacks in numbers (as of April, over 100 vulnerabilities were disclosed), it makes up for in severity and infrastructure issues. “CVE-2022-26925, a Windows LSA spoofing vulnerability, could allow an attacker to intercept or intercept network traffic. Since Microsoft has confirmed this CVE is being exploited in the wild, administrators system should place this patch near the top of their list,” he says. More broadly, Hass says Automox recommends that all critical and exploited vulnerabilities be patched within 72 hours.
Satya Gupta, co-founder of Virsec, says that while this Patch Tuesday update includes “very concerning vulnerabilities” on an individual threat basis, when viewed in a broader context, that concern remains. “Consider that in April-May 2022, more than one in three vulnerabilities identified by Microsoft (1,330 or 36%) are remote code execution vulnerabilities,” he says, “that’s of course a huge opportunity for malicious actors to compromise almost any customer.”