Microsoft Zero-Days, Wormable Bugs Spark Concern

For April Patch Tuesday, the computing giant addressed a zero-day under active attack and several critical security vulnerabilities, including three that allow self-propagating exploits.

Microsoft has released patches for 128 security vulnerabilities for its April 2022 monthly scheduled update – ten of them rated critical (including three wormable code-execution bugs that require no user interaction to exploit).

There are also two important-rated zero-days that allow privilege escalation, including one listed as under active exploit.

The bugs in the update are found across the portfolio, including in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store and Windows Print Spooler Components.

“This large volume of patches hasn’t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year,” Dustin Childs, researcher at Trend Micro’s Zero Day Initiative, said in a blog breaking down the fixes.

Zero-Day Patches

The vulnerability that’s been exploited in the wild ahead of patching allows privilege escalation, and is tracked as CVE-2022-24521.

Read More: https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/