Microsoft has released fixes for two zero-day vulnerabilities and 143 other flaws in the April 2022 patch Tuesday updates, which includes 10 Critical Remote Code Execution vulnerabilities.

Elevation of Privilege Zero Days

Microsoft’s definition of a zero day vulnerability is a vulnerability which is either publicly disclosed or actively exploited with no official fix available.

There are two zero day vulnerabilities fixed in this month’s patch Tuesday:

• CVE-2022-26904– Windows User Profile Service Elevation of Privilege
  Hopefully the third time’s the charm for Microsoft to fix this actively exploited vulnerability which can be used to gain admin privileges on Windows 10,11 and Server editions.
• CVE-2022-24521– Windows Common Log File System Driver Elevation of Privilege
  This publicly exposed zero-day is a privilege elevation bug discovered by CrowdStrike and the NSA.

Critical RCE vulnerabilities

The notable critical Remote Code Execution vulnerabilities addressed this month are

• CVE-2022-23259  Microsoft Dynamics 365 RCE (on-premises)
• CVE-2022-24491 and CVE-2022-24497  Windows Network File System RCE Vulnerability
• CVE-2022-24500  Windows SMB RCE
• CVE-2022-24541 Windows Server Service RCE Vulnerability
• CVE-2022-26809 Remote Procedure Call (RPC) Runtime RCE

Full details of all the April fixes are provided in Microsoft’s website.

End of Life warning for Windows 10 20H2 and 1909

May 2022 brings the end of life for several editions of Windows 10. The versions known as 20H2 and 1909 are reaching the end of their service life after their last update on May’s Patch Tuesday on May 10th.

Win10 20H2 reaches End of Support for several editions: Home, Pro, Pro Education, and Pro for Workstations. However, Enterprise, Education, and IoT Enterprise editions get one additional year, reaching their end of service on May 9, 2023.