Microsoft fixed 98 vulnerabilities in the first Patch Tuesday of 2022.
Microsoft kicked off 2022 by addressing a total of 98 security vulnerabilities as part of the January 2022 Patch Tuesday update including 29 remote code execution (RCE) flaws and six zero-days.
Of the 98 total vulnerabilities, nine were classified as “critical,” meaning with a CVE score of nine or higher. Among the most serious security issues Microsoft fixed are a couple of RCEs, both with scores of 9.8 / 10, affecting Windows servers and Internet Key Exchange (IKE) systems.
Microsoft has published a comprehensive list of security issues that have already been fixed, with RCE flaws affecting products such as Windows Server, Microsoft Exchange Server, SharePoint Server, Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System and other areas.
The most severe RCE vulnerability, found as CVE-2022-21849, can be exploited with “low complexity”, according to Microsoft’s patch notes, and allows unauthenticated attackers to trigger more vulnerabilities when the IPSec service is running on Windows .
Microsoft Exchange Server also received five separate fixes for a critically assessed RCE vulnerability, tracked as CVE-2022-21846, with a rating of 9.0 / 10, with an “adjacent” attack vector, meaning the attack was limited to the protocol layer. The National Security Agency (NSA) was the first to notify Microsoft of this particular flaw, which drew attention to other Microsoft Exchange security issues throughout 2021.
To achieve exploitation, cyber attackers would first have to enter the victim’s environment, for example by being on the same shared physical network. via Bluetooth or Wi-Fi. This type of flaw is common in man-in-the-middle configurations, Microsoft said.
Microsoft Patch Tuesday is also important for Office
Microsoft has also corrected several defects affecting the Microsoft Office suite, but perhaps the most serious, registered as CVE-2022-21840, fixes 26 single flaws classified as critical in a single vulnerability. It has a CVE score of 8.8 / 10 and attackers could get remote code execution on the victim’s computer if the victim opens a specially crafted file.
The CVE-2022-21840 flaw is believed to be slightly less likely to be exploited, as some user interaction (opening the file) is required, but Microsoft still classifies it as a “low complexity” exploit, which means that attackers can expect repeatable success against the vulnerable component.
Microsoft has released updates for Windows PCs, which are recommended to be installed, but some Mac users will have to wait for the patches as they are not immediately available.
Bug affecting Windows servers configured as web servers, tracked as CVE-2022-21907, allows unauthenticated attackers to send specially crafted packets to targeted servers using the HTTP protocol stack. Microsoft also said the problem is potentially wormable and recommends patching all affected servers as a priority.
Another of the most serious flaws Microsoft fixed this week is the one that affected Internet Key Exchange (IKE), although the company has not disclosed all the details of the problem.
In addition to the series of security vulnerabilities affecting Microsoft products, six zero days have also been fixed, although there is no indication that any of them have been actively exploited.
- CVE-2022-21919 – Windows User Profile Service Privilege Increase Vulnerability
- CVE-2022-21836 – Windows certificate forgery vulnerability
- CVE-2022-21839 – Windows Event Trace Discretionary Access Control List Denial of Service vulnerability
- CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability
- CVE-2021-22947 – Open Source Curl Remote Code Execution Vulnerability
- CVE-2021-36976 – Libarchive remote code execution vulnerability
None of the zero-days mentioned have been actively exploited, but there is publicly available Proof-of-concept (PoC) code, so companies should prioritize patching before any exploit attempts occur.