CISA adds Windows bug to exploited list, urges agencies to patch by August 2

The Cybersecurity and Infrastructure Security Agency ordered all federal civilian agencies to patch a Windows vulnerability by August 2 after Microsoft said it had detected exploitation of the bug.

The issue – tagged as CVE-2022-22047 – carries a vulnerability score (CVSS) of 7.8 and affects the Windows Client Server Runtime Subsystem (CSRSS) found in Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022.

The zero-day was among the 84 bugs included in Microsoft’s Patch Tuesday release for July. 

When asked for comment for more information about the vulnerability’s exploitation, Microsoft told The Record it “had nothing more to add.”

Nicole Hoffman, senior cyberthreat intelligence analyst at Digital Shadows, said that while there are reports of exploitation, a proof of concept has not yet been released.

Canonic Security’s Alon Rosenblum added that an exploit for the bug would only work after the attacker already has the means to execute code as an unprivileged user. 

“Privilege elevation vulnerabilities are especially dangerous, as many attack scenarios rely on them as leverage to move from the initial infiltration stage to the lateral movement stage by acquiring credentials and access to network locations,” Rosenblum explained. 

Elevation of privilege flaws are valuable for attackers that have already gained access to a vulnerable system, and that have limited privileges through other means, including social engineering or exploitation of a separate vulnerability, Tenable senior staff research engineer Satnam Narang told The Record. 

“They could potentially gain administrative privileges by running a specially crafted application that exploits this flaw,” Narang said. 

CISA added the bug to its list of known exploited vulnerabilities this week after Microsoft publicized the issue. 

Dustin Childs of Trend Micro’s Zero Day Initiative said it “allows an attacker to execute code as SYSTEM, provided they can execute other code on the target.”

“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system,” Childs said, noting that it was an example of why so many security experts were dismayed by Microsoft’s recent decision to roll back a popular change that blocked Visual Basic for Applications (VBA) macros by default in a variety of Office apps. 

Microsoft said its decision will be “temporary” but did not provide a timeline for when it will be restored. 

“These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default,” Childs said.