Microsoft Kicks Off 2022 With 96 Security Patches

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Kicks Off 2022 With 96 Security Patches


Nine of the Microsoft patches released today are classified as Critical, 89 are Important, and six are publicly known.



Microsoft today released its first Patch Tuesday rollout of 2022, which brought fixes for 96 CVEs. Nine of the vulnerabilities are called Critical and six are publicly known, though none are listed as under active attack.
The products affected in this months release include Microsoft Windows, the Edge browser (Chromium-based), Exchange Server, Microsoft Office, Microsoft Dynamics, .NET Framework, Open-Source Software, Windows Defender, Windows Hyper-V, and Remote Desktop Protocol.
This is an unusually large rollout for Microsofts first Patch Tuesday of the year, noted Dustin Childs of Trend Micros Zero-Day Initiative in a
blog post
on todays patches. Over the last few years, the average number of patches released in January is about half this volume, he noted. Its also a notable change from smaller update releases that occurred toward the end of 2021.
In todays release are a few vulnerabilities worth prioritizing and paying close attention to. One of these is
CVE-2022-21907
, an HTTP Protocol Stack remote code execution (RCE) flaw that an attacker could exploit by sending a specially crafted packet to a target server using the HTTP Protocol Stack (http.sys) to process packets. Microsoft says the vulnerability is wormable.
The CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially crafted message that can lead to remote code execution, says Danny Kim, principal architect at Virsec. An attack requires low complexity, no privileges, and no user interaction to work. Users are advised to patch quickly.
Also significant are the three remote code execution vulnerabilities patched in Microsoft Exchange Server:
CVE-2022-21846
, which is considered Critical, and
CVE-2022-21969
and
CVE-2022-21855
, both of which are categorized as Important. All three vulnerabilities require low complexity, no privileges, and no user interaction to exploit. Microsoft classifies them all as exploitation more likely.
NSA Reports One
One of these flaws (CVE-2022-21846) was disclosed to Microsoft by the National Security Agency. While it has a high CVSS score of 9.0, Microsoft noted this issue has an adjacent attack vector, meaning it cannot be exploited across the Internet but instead needs something specific tied to the target, such as the same shared physical network or logical network. This means it would require more effort for the attacker, unlike the ProxyLogon or ProxyShell bugs.
One critical vulnerability worth a closer look is
CVE-2022-21840
, a Critical RCE flaw in Microsoft Office that requires low complexity and no privileges. The Preview Pane is not an attack vector here, Microsoft notes, but an exploit does require user interaction. In an email attack scenario, an adversary could send a specially crafted file to a victim and convince them to open it. In a Web-based scenario, the attacker could host a website (or use a compromised website that accepts or hosts user-provided content) that contains a specially crafted file to exploit the bug.
Organizations running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 will unfortunately have to wait for an update, as patches are not yet available for these. Microsoft says customers will be notified via CVE revision when they are made available.
The six publicly known issues patched today include an open source curl RCE vulnerability (
CVE-2021-22947
) and Libarchive RCE vulnerability (
CVE-2021-36976
), both of which had their CVE previously released by a third party and are now being incorporated into Microsoft products. 
Also publicly known are a Windows certificate spoofing vulnerability (
CVE-2022-21836
), Windows Security Center API RCE vulnerability (
CVE-2022-21874
), Windows user profile service elevation of privilege flaw (
CVE-2022-21919
), and a Windows event tracing discretionary access control list denial-of-service vulnerability (
CVE-2022-21839
).

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Kicks Off 2022 With 96 Security Patches