By Staff Writer.
Microsoft’s released its first round of security patches this year on Tuesday, January 11. The patches deal with 97 common vulnerabilities and exposures (CVEs), including six zero-day vulnerabilities.
Microsoft typically releases its latest security patches on the second Tuesday of each month. The monthly event is widely known as “Patch Tuesday.” Microsoft listed nine of Tuesday’s vulnerabilities as “critical” and 88 as “important.”
Tuesday’s patches addressed 41 elevation of privilege vulnerabilities, nine security feature bypass vulnerabilities, 29 remote code execution vulnerabilities, six information disclosure vulnerabilities, nine denial of service vulnerabilities, and three spoofing vulnerabilities.
The security updates cover all client and server versions of the Windows operating system. Microsoft also released security updates for other Microsoft products, including .NET Framework, Microsoft Dynamics, Microsoft Office, Microsoft Edge, Microsoft Teams, Microsoft Windows Codecs Library, DirectX, Windows Defender, and Windows Secure Boot.
The number of patches released on Tuesday is considered high. Usually, Microsoft releases around half the number of patches in January. Tuesday’s patch numbers are also an increase on the number of patches released towards the end of 2021. On December’s Patch Tuesday, Microsoft released 67 security fixes. In November, Microsoft released 55 patches.
Patches released for the zero-day vulnerabilities included fixes for CVE-2021-22947 (open-source curl remote code execution vulnerability), CVE-2021-36976 (Libarchive remote code execution vulnerability), and CVE-2022-21919 (Windows user profile service elevation of privilege vulnerability).
Other zero-day vulnerability patches released tackle CVE-2022-21836 (Windows certificate spoofing vulnerability), CVE-2022-21839 (Windows event tracing discretionary access control list denial of service vulnerability), and CVE-2022-21874 (Windows security centre API remote code execution vulnerability).
While these vulnerabilities had been publicised, no official fixes were available until this week. However, Microsoft notes bad actors had not targeted these vulnerabilities in the wild. Nonetheless, Satnam Narang, Staff Research Engineer at Tenable, says the vulnerabilities were exploitable.
“Microsoft patched CVE-2022-21907, a critical remote code execution flaw in the HTTP Protocol Stack. To exploit this vulnerability, a remote, unauthenticated attacker could send a specially crafted request to a vulnerable server using the HTTP Protocol Stack,” he said.
“Microsoft warns that this vulnerability is wormable, meaning no human interaction would be required for an attack to spread from system to system. As such, organisations that utilise the HTTP Protocol Stack should prioritise patching this vulnerability as soon as possible.”
Tenable says three remote code execution vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855) were rated “exploitation more likely.”
“One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency,” he adds.
CVE-2022-21846 is one of three Exchange RCE bugs Tuesday’s patch release fixes. However, it was the only one rated as critical. Despite this, a bad actor would need to be working from the inside to exploit the vulnerability. But if they were, they could potentially take over the Exchange server.
Patch Tuesday is evolving into an industry-wide event. Adobe, SAP, VMWare, and Intel also released their latest security fixes this week alongside Microsoft.
Microsoft’s latest patches are available via their security response centre.