Microsoft today released its first Patch Tuesday rollout of 2022, which brought fixes for 96 CVEs. Nine of the vulnerabilities are called Critical and six are publicly known, though none are listed as under active attack.
The products affected in this month's release include Microsoft Windows, the Edge browser (Chromium-based), Exchange Server, Microsoft Office, Microsoft Dynamics, .NET Framework, Open-Source Software, Windows Defender, Windows Hyper-V, and Remote Desktop Protocol.
This is an "unusually large" rollout for Microsoft's first Patch Tuesday of the year, noted Dustin Childs of Trend Micro's Zero-Day Initiative in a blog post on today's patches. "Over the last few years, the average number of patches released in January is about half this volume," he noted. It's also a notable change from smaller update releases that occurred toward the end of 2021.
In today's release are a few vulnerabilities worth prioritizing and paying close attention to. One of these is CVE-2022-21907, an HTTP Protocol Stack remote code execution (RCE) flaw that an attacker could exploit by sending a specially crafted packet to a target server using the HTTP Protocol Stack (http.sys) to process packets. Microsoft says the vulnerability is wormable.
"The CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially crafted message that can lead to remote code execution," says Danny Kim, principal architect at Virsec. An attack requires low complexity, no privileges, and no user interaction to work. Users are advised to patch quickly.
Also significant are the three remote code execution vulnerabilities patched in Microsoft Exchange Server: CVE-2022-21846, which is considered Critical, and CVE-2022-21969 and CVE-2022-21855, both of which are categorized as Important. All three vulnerabilities require low complexity, no privileges, and no user interaction to exploit. Microsoft classifies them all as "exploitation more likely".
NSA Reports One
One of these flaws (CVE-2022-21846) was disclosed to Microsoft by the National Security Agency. While it has a high CVSS score of 9.0, Microsoft noted this issue has an "adjacent" attack vector, meaning it cannot be exploited across the Internet but instead needs something specific tied to the target, such as the same shared physical network or logical network. This means it would require more effort for the attacker, unlike the ProxyLogon or ProxyShell bugs.
One critical vulnerability worth a closer look is CVE-2022-21840, a Critical RCE flaw in Microsoft Office that requires low complexity and no privileges. The Preview Pane is not an attack vector here, Microsoft notes, but an exploit does require user interaction. In an email attack scenario, an adversary could send a specially crafted file to a victim and convince them to open it. In a Web-based scenario, the attacker could host a website (or use a compromised website that accepts or hosts user-provided content) that contains a specially crafted file to exploit the bug.
Organizations running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 will unfortunately have to wait for an update, as patches are not yet available for these. Microsoft says customers will be notified via CVE revision when they are made available.
The six publicly known issues patched today include an open source curl RCE vulnerability (CVE-2021-22947) and Libarchive RCE vulnerability (CVE-2021-36976), both of which had their CVE previously released by a third party and are now being incorporated into Microsoft products.
Also publicly known are a Windows certificate spoofing vulnerability (CVE-2022-21836), Windows Security Center API RCE vulnerability (CVE-2022-21874), Windows user profile service elevation of privilege flaw (CVE-2022-21919), and a Windows event tracing discretionary access control list denial-of-service vulnerability (CVE-2022-21839).