ZDI: The April 2022 Security Update Review

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for April 2022

For April, Adobe released four updates addressing 70 CVEs in Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce. The update for Acrobat and Reader is by far the largest, with 62 CVEs being addressed. A total of 54 of these CVEs were reported through the ZDI program, with ZDI vulnerability analyst Mat Powell responsible for 27 of these. The more severe vulnerabilities being fixed are the Critical-Rated Use-After-Free (UAF) and Out-of-Bounds (OOB) Write bugs. These could allow an attacker to execute code on a target system if they can convince a user to open a specially crafted PDF document. There are 13 CVEs fixed in the patch for Photoshop, and all of these were reported through the ZDI program. All the vulnerabilities addressed by this patch address Critical-rated code execution bugs. Again, an attacker would need to convince a user to open a specially crafted file to gain code execution.

The update for After Effects addresses two Critical-rated CVEs that could allow for code execution. Both bugs are listed as stack-based buffer overflows. Finally, the patch for Adobe Commerce fixes a single, Critical-rated vulnerability. Adobe rates this as a CVSS 9.1, but they also point out authentication would be required to exploit this bug. They also note admin privileges are required, so the high CVSS is somewhat puzzling. Still, if you’re using Commerce, test and deploy this patch as soon as you are able.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2022

This month, Microsoft released 128 new patches addressing CVEs in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler Components. This is in addition to the 17 CVEs consumed from the Chromium Open-Source Software (OSS) by Microsoft Edge (Chromium-based), which brings the April total to 145 CVEs.

Of the 128 new CVEs released today, 10 are rated Critical, 115 are rated Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. This large volume of patches hasn’t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year.

One of the bugs patched is listed as under active exploit this month, and one other is listed as publicly known at the time of release.
The next Patch Tuesday falls on May 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
Microsoft Windows Security Updates April 2022 overview
Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office, on the April 12, 2022 Patch Tuesday.

The updates are already available via Windows Updates, other update management products and services, and as direct downloads. Our overview assists home users and system administrators in understanding the updates and getting the information they need to update products that they use.

The guide includes direct download links, links to support websites, information about critical updates, known issues, and other bits that are important when it comes to updating.

The following Excel spreadsheet includes the released security updates for Windows and other company products. Just download it with a click on the following link: microsoft-windows-security-updates-april-2022
  • All supported client and server versions of Windows are affected by at least 4 critical security issues.
  • Windows clients with known issues: Windows 7, Windows 8.1, Windows 10 version 1607, 1809, 1909, 20H2, 21H1, 21H2, and Windows 11
  • Windows server versions with known issues: Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2022
  • Other Microsoft products with security updates: .NET Framework, Azure SDK, Active Directory Domain Services, Azure Site Recovery, Microsoft Edge, LDAP, Visual Studio, Microsoft Office, and others.
  • Windows 10 version 20h2 Pro and Home are reaching end of servicing next month.
 

Sorrento

Level 5
Dec 7, 2021
219
I would be inclined before you install these updates to do an image if you can - I did an image this morning & run the updates which ran smoothly, then found out MS Edge wont start or repair - I imaged back & ran the updates again and had the same error so imaged back & paused updates - This problem may be unique or may affect others?

Edge.jpg
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
I would be inclined before you install these updates to do an image if you can - I did an image this morning & run the updates which ran smoothly, then found out MS Edge wont start or repair - I imaged back & ran the updates again and had the same error so imaged back & paused updates - This problem may be unique or may affect others?

View attachment 265811
I'm posting this from Edge with these updates installed, so it doesn't affect me.
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
Thank you, never had this issue before, I'll hang on a few days and see what transpires? :rolleyes::rolleyes:
You could try reinstalling Edge from here:
 
  • Like
Reactions: Sorrento

Sorrento

Level 5
Dec 7, 2021
219
Thanks I'll give that a try, just got some work to do then I'll attempt to sort it, thanks for your time & effort :):) I'll disable/remove all Edge extensions too the next time I run update.
 
  • Like
Reactions: Gandalf_The_Grey

MuzzMelbourne

Level 5
Mar 13, 2022
153
Last edited by a moderator: