AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 49

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack 微软修复创纪录的622个漏洞,包括两个正在被利用的零日漏洞

Microsoft released a record-breaking 622 security updates in July, including two actively exploited zero-day vulnerabilities in SharePoint Server and Active Directory Federation Services. The update finalizes the multi-year deprecation of Kerberos RC4 encryption, requiring administrators to audit and rotate service account passwords to prevent authentication failures. SharePoint Server 2016 and 2019 reached end-of-life simultaneously with the patch, leaving self-hosted instances without extended 微软发布创纪录的622个安全更新,其中包含两个正在被利用的零日漏洞(SharePoint Server和Active Directory Federation Services)。 SharePoint Server 2016/2019同日停止支持且无付费延长支持计划,需紧急修补并启用AMSI全模式防御。 此次更新彻底移除Kerberos RC4回退开关,强制使用AES加密,管理员需先审计并轮换服务账户密码以防认证失败。 Windows平台占据416个漏洞,包括多个高危RCE;SharePoint存在未完全修复的RCE链,另一半将在8月修补。

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • Microsoft released a record-breaking 622 security updates in July, including two actively exploited zero-day vulnerabilities in SharePoint Server and Active Directory Federation Services.
  • The update finalizes the multi-year deprecation of Kerberos RC4 encryption, requiring administrators to audit and rotate service account passwords to prevent authentication failures.
  • SharePoint Server 2016 and 2019 reached end-of-life simultaneously with the patch, leaving self-hosted instances without extended support options.
  • A significant portion of the vulnerabilities involve Remote Code Execution (RCE), with 95 RCE bugs identified across the release, particularly within Windows components.
  • Severity ratings proved unreliable this cycle, with discrepancies between vendor scores and actual exploitability, such as a JWT bypass rated differently by Rapid7 and ZDI.

Why It Matters

This release highlights the critical importance of prioritizing vulnerability remediation based on active exploitation status rather than just CVSS severity scores, as demonstrated by the low-severity but actively attacked SharePoint flaw. For IT operations, the mandatory removal of the RC4 rollback switch poses a significant operational risk, necessitating immediate auditing to avoid widespread login disruptions. Additionally, the end-of-support for older SharePoint versions underscores the urgency for organizations to migrate to supported environments to maintain security compliance.

Technical Details

  • Active Zero-Days: CVE-2026-56164 allows unauthenticated privilege escalation in on-premises SharePoint Server, while CVE-2026-56155 enables local privilege escalation in Active Directory Federation Services (AD FS). Both were discovered during active incident response.
  • RC4 Deprecation: The update removes the RC4DefaultDisablementPhase rollback switch. RC4 is now disabled by default for all accounts unless explicitly configured otherwise, requiring pre-patch auditing using specific event logs to identify legacy service accounts.
  • Volume and Scope: The patch includes 416 fixes for Windows, 82 for Office, 46 for Microsoft Edge, and 27 for Developer Tools. Notable high-severity issues include a VMSwitch RCE (CVE-2026-57092) rated 9.9 and multiple DHCP RCEs.
  • SharePoint Specifics: In addition to the zero-day, CVE-2026-55040, a JWT authentication bypass disclosed by Rapid7, was patched. This bypass was part of a chain leading to unauthenticated RCE, with the RCE component itself scheduled for an August fix.
  • BitLocker Bypass: CVE-2026-50661 addresses a physical-access BitLocker bypass, continuing a trend of similar vulnerabilities like bitskrieg and YellowKey from earlier in the year.

Industry Insight

Organizations must treat the RC4 deprecation as a high-priority operational task, executing a strict audit-rotate-patch sequence to prevent service outages. Security teams should prioritize patching SharePoint and AD FS immediately due to active exploitation, regardless of official severity ratings. Furthermore, enterprises running legacy SharePoint versions must accelerate migration plans given the simultaneous end-of-support, as these systems no longer receive security updates or extended support purchases.

TL;DR

  • 微软发布创纪录的622个安全更新,其中包含两个正在被利用的零日漏洞(SharePoint Server和Active Directory Federation Services)。
  • SharePoint Server 2016/2019同日停止支持且无付费延长支持计划,需紧急修补并启用AMSI全模式防御。
  • 此次更新彻底移除Kerberos RC4回退开关,强制使用AES加密,管理员需先审计并轮换服务账户密码以防认证失败。
  • Windows平台占据416个漏洞,包括多个高危RCE;SharePoint存在未完全修复的RCE链,另一半将在8月修补。

为什么值得看

本次更新规模空前,揭示了身份验证基础设施(如AD FS和SharePoint)已成为攻击者的重点目标,即使非远程执行漏洞也可能导致严重的权限提升。同时,RC4协议的最终淘汰标志着企业网络身份验证安全基线的重大转变,操作不当将直接导致业务中断。

技术解析

  • 零日漏洞详情:CVE-2026-56164允许未经认证的远程攻击者在SharePoint Server上提权,由Mandiant和Google FLARE团队在攻击中独立发现;CVE-2026-56155涉及AD FS本地提权,由微软DART团队发现,虽标记为本地但影响令牌签名信任链。
  • SharePoint安全链:Rapid7披露了CVE-2026-55040(JWT认证绕过),与未修补的RCE漏洞结合可实现未授权远程代码执行,当前补丁仅切断链条,完整修复延至8月。
  • Kerberos RC4硬硬化:移除RC4DefaultDisablementPhase回退选项,此后仅显式配置的服务账户可使用RC4。若未提前审计并轮换密码以生成AES密钥,更新后将导致认证失败。
  • 其他高危漏洞:Windows组件包含95个RCE漏洞,最高危为VMSwitch RCE(CVE-2026-57092,评分9.9)及5个DHCP RCE;另有21个NTFS/ReFS驱动漏洞共享同一根因。

行业启示

  • 优先处理身份基础设施:企业应立即修补SharePoint和AD FS漏洞,特别是自托管SharePoint用户需关注2016/2019版本的支持终止风险,并评估迁移至受支持版本或云服务的紧迫性。
  • 严格执行变更管理流程:在应用本月更新前,必须执行RC4审计和账户密码轮换,避免因遗留系统兼容性问题引发大规模认证故障,建议先在测试环境验证。
  • 重新评估漏洞优先级:微软此次更新显示严重性评分与实际威胁脱节(如低评分的SharePoint漏洞因活跃利用而更紧急),安全团队应结合威胁情报而非仅依赖CVSS评分决定修补顺序。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全