Microsoft Patch Tuesday fixes critical zero-days along with 97 other flaws

Threat Advisories

Microsoft Patch Tuesday fixes critical zero-days along with 97 other flaws

January 12, 2022

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

Microsoft has fixed 97 vulnerabilities, with nine classified as Critical and 88 as Important and among them 6 zero-days.

Following are the type of security vulnerabilities reported in multiple Microsoft products:

  • 41 Elevation of Privilege Vulnerabilities
  • 29 Remote Code Execution Vulnerabilities
  • 9 Security Feature Bypass Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 9 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities

Six zero-day vulnerabilities were addressed in the January’s patch Tuesday:

  • CVE-2021-22947: Remote Code-Execution vulnerability in open-source Curl library.
  • CVE-2021-36976: Remote Code-Execution vulnerability in open-source Libarchive.
  • CVE-2022-21874: Remote Code-Execution vulnerability in Local Windows Security Center API.
  • CVE-2022-21919: Privilege escalation vulnerability in Windows User Profile Service.
  • CVE-2022-21839: Denial-of-Service vulnerability in Windows Event Tracing Discretionary Access Control List.
  • CVE-2022-21836: Spoofing vulnerability in Windows Certificate.

Some of the critical vulnerabilities are listed below:

  • CVE-2022-21846: Remote Code-Execution vulnerability in Microsoft exchange server which.
  • CVE-2022-21840: Remote Code-Execution vulnerability in Microsoft Office 365.
  • CVE-2022-21857: Active Directory Domain Services Elevation of Privilege Vulnerability
  • CVE-2022-21898: Privilege escalation vulnerability in DirectX Graphics.
  • CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability.
  • CVE-2022-21907: HTTP Protocol Stack Remote Code-Execution Vulnerability
  • CVE-2022-21917: HEVC Video Extensions Remote Code-Execution Vulnerability.

Out of the critical bugs, a Remote Code-Execution (CVE-2022-21907) issue in the HTTP protocol stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Successful exploitation requires an attacker to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.

Hive Pro threat researchers recommend users to prioritize patching this flaw on all the affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.

Vulnerabiliy Details

Patch Links

https://msrc.microsoft.com/update-guide/

References

https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Jan-2022.html

https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/

https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/

https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/

https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html

Recent Posts

Join Our Newsletter 14,000+ subscribers and growing! Get top cybersecurity news delivered directly to your inbox.