Patch Tuesday April 2022 – Microsoft Releases Fixes for 26 Vulnerabilities, Including 5 Rated as Important
March Highlights in Vulnerabilities. Full List of Fixes.
During the April Patch Tuesday bout, Microsoft has released a total number of 26 fixes for common and less common vulnerabilities. Microsoft has also addressed five vulnerabilities that were labeled as important.
Patch Tuesday April 2022 Roundup
April’s Patch Tuesday has brought us numerous improvements and fixes for issues associated with Microsoft’s Chromium-based Edge browser. To name a few, we have fixes for Type Confusion in tV7, Heap Buffer Overflow in WebUI, Use-after-Free in Shopping Cart, Use-after-free in Tab Strip, and User-after-free in Extensions. The full list of fixes can be found below.
April Highlights in Vulnerabilities. Full List of Fixes.
As mentioned, below you’ll find the redacted list of security and non-security vulnerabilities. All the items on the list have been marked as fixes.
| CVE Number | Name of Vulnerability |
|---|---|
| CVE-2022-1125 | Chromium: CVE-2022-1125 Use after free in Portals |
| CVE-2022-1127 | Chromium: CVE-2022-1127 Use after free in QR Code Generator |
| CVE-2022-1128 | Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API |
| CVE-2022-1129 | Chromium: CVE-2022-1129 Inappropriate implementation in Full-Screen Mode |
| CVE-2022-1130 | Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP |
| CVE-2022-1131 | Chromium: CVE-2022-1131 Use after free in Cast UI |
CVE-2022-1133 | Chromium: CVE-2022-1133 Use after free in WebRTC |
| CVE-2022-1134 | Chromium: CVE-2022-1134 Type Confusion in V8 |
| CVE-2022-1135 | Chromium: CVE-2022-1135 Use after free in Shopping Cart |
| CVE-2022-1136 | Chromium: CVE-2022-1136 Use after free in Tab Strip |
| CVE-2022-1137 | Chromium: CVE-2022-1137 Inappropriate implementation in Extensions |
| CVE-2022-1138 | Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor |
| CVE-2022-1139 | Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API |
| CVE-2022-1143 | Chromium: CVE-2022-1143 Heap buffer overflow in WebUI |
| CVE-2022-1145 | Chromium: CVE-2022-1145 Use after free in Extensions |
| CVE-2022-1146 | Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing |
| CVE-2022-1232 | Chromium: CVE-2022-1232 Type Confusion in V8 |
| CVE-2022-24475 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-24523 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| CVE-2022-26891 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26894 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26895 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26900 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26908 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26909 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
| CVE-2022-26912 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
Highlights
CVE-2022-24475 – Elevation of Privilege Vulnerability
An undisclosed defect in Microsoft’s Chromium-based Edge might allow a threat actor to remotely obtain higher privileges. The CVE, which received a Max Severity score of Important, has been fixed. CVE-2022-24475 affected machines running Chromium Version 100.0.4896.60 or lower.
CVE-2022-24523 – Spoofing Vulnerability
A defective Microsoft Edge component might allow a threat actor to run arbitrary code or obtain higher privileges by passing along forged packages to the user. The issue was labeled as fixed.
CVE-2022-26891 – Elevation of Privilege Vulnerability
A bugged component can be leveraged by a threat actor in order to obtain higher local machine privileges. The issue was fixed.
Cybersecurity Advice & Parting Thoughts
That’s about it for Patch Tuesday April. As usual, here’re some of the things you may want to try out in order to increase your company’s cybersecurity posture.
- Automatic patching. Why bother patching manually when you can have a solution that takes care of that for you? Heimdal™ Patch & Asset Management can help you deploy any patch, update, or hotfix regardless of its 3rd party, Windows- or Linux-specific, proprietary or optional.
- Fake updates. Be careful around popups or emails notifying you about missing (security) updates. Clicking on them can make your machine come down with a case of ransomware, spyware, and other kinds of ‘-wares’.
- Prioritizing your updates. As far as updating’s concerned, there’s only one rule – critical and security updates first, followed by drivers, feature packs, tools, and updates. Don’t mix them up.
Additional resources:
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.