Microsoft’s latest vulnerability: ‘Clear disclosure, rapid fix’

The latest Microsoft vulnerability added to CISA’s Known Exploited Vulnerabilities Catalog shows the tech giant is doing the right thing when it comes to keeping the security community informed, cybersecurity professionals said today.

The federal Cybersecurity and Infrastructure Security Agency (CISA) maintains its Known Exploited Vulnerabilities Catalog to track vulnerabilities that have been found to have been utilized by attackers as part of malicious cyber activities—and that “carry significant risk to the federal enterprise.”

The latest update to the catalog came last Friday with the addition of CVE-2022-21882, which carries a “high” severity rating of 7.0 (out of 10.0) and can be exploited to enable privilege escalation in Microsoft Windows environments. This includes multiple versions of Microsoft’s Windows 10 and Windows 11 PC operating systems, as well as Microsoft’s Windows Server 2019 and Windows Server 2022.

By exploiting the vulnerability in the Win32k.sys driver, a local attacker who is unauthenticated could achieve elevated local system or admin privileges, Microsoft said in its disclosure of the vulnerability.

‘Responsible behavior’

Privilege escalation bugs such as this “are a nuisance to any operating system, and every successful OS vendor or community prioritizes fixes for them,” said Casey Bisson, head of product and developer relations at code security vendor BluBracket.

“Microsoft’s disclosure here is exemplary of responsible behavior,” Bisson said. “If every application vendor approached the security of their apps the same way Microsoft and other OS teams have—with automated code scanning and other detection efforts, clear disclosures, and rapid fixes—we’d face far fewer security risks.”

By including the CVE-2022-21882 vulnerability in its Known Exploited Vulnerabilities Catalog, CISA directed federal agencies to update their systems with available patches.

“It appears CISA added this as due diligence, rather than because the attack is a high threat,” said Mike Parkin, an engineer at Vulcan Cyber. “Microsoft’s explanation indicates that the attack requires local access and is of high complexity, both of which reduce the likelihood of it being widely used in the wild.”

Patches are available for the vulnerability, and the patches should be deployed “as part of any organization’s standard maintenance procedure,” Parkin said.

Unlike vulnerabilities that can enable initial access to a system, this latest Microsoft vulnerability “is useful for increasing the power of marginal initial access, after it has already been achieved,” said Casey Ellis, founder and chief technology officer at Bugcrowd. “The significance of this is that it shifts the prevention focus from ‘prevent intrusion’ to ‘assume and contain intrusion.’”

Other recent vulnerability disclosures have carried a higher risk for businesses. Those include an array of 15 vulnerabilities in Cisco routers, including five with a “critical” severity rating, disclosed last week.

In late January, researchers disclosed the “PwnKit” vulnerability, which affects a widely installed Linux program—polkit’s pkexec—and can be easily exploited for local privilege escalation.