Microsoft Patch Tuesday: An 'Unusually Large' Patch Release122 CVEs, Including 96 New, 9 Critical, 6 Zero-Days
Microsoft on Tuesday released its first rollout of 2022 patches that covers 96 new CVEs, plus 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and two other CVEs fixed previously in open-source projects. This makes a January total of 122 CVEs. Of these, nine are rated critical in severity, 89 are rated important and six are zero-day vulnerabilities.
See Also: The Power and Scale of XDR
"This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume," says Zero Day Initiative's Dustin Childs.
Tuesday's update fixes problems including privilege escalation flaws, remote code execution exploits, cross-site scripting vulnerabilities, spoofing issues, denial-of-service vulnerabilities and information disclosure vulnerabilities in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender and Windows Remote Desktop Protocol.
Earlier this month, Microsoft issued a workaround to fix a fatal error that disrupted email delivery due to a date check failure with the change of the year to 2022 (see: Microsoft Exchange Fixes Disruptive 'Y2K22' Bug).
Stress From Log4j
Bharat Jogi, director of vulnerability and threat research at Qualys, says Microsoft's monster Patch Tuesday comes during a time of chaos in the security industry as professionals work overtime to remediate Log4Shell - or the Apache Log4j vulnerability - which is reportedly the worst vulnerability seen in decades.
"Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks and bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment," Jogi tells ISMG. He says security professionals need to automate deployment of patches for events with defined schedules, such as MSFT Patch Tuesday, so they can focus their energy on responding efficiently to any unpredictable events that occur.
CVE-2022-21907, with a CVSS score of 9.8 out of 10, is a HTTP protocol stack remote code execution vulnerability. This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets.
"No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly," Childs says.
"Marked as 'exploitation more likely,' its wormable nature is highly appealing to attackers as it can allow them to reach further into networks that would otherwise be inaccessible," says Kev Breen, director of cyberthreat research at Immersive Labs. Microsoft says Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default, according to Breen, and require a specific registry key to be set in order to make them vulnerable.
Breen also says that if a user is on an affected version and not able to patch quickly, applying the mitigation in the Microsoft advisory could be a good first step. Before applying any mitigation he says, always check how it might affect any applications or business-critical services.
Chris Morgan, senior cyberthreat intelligence analyst at Digital Shadows, says this vulnerability is concerning, but there is no evidence of working proofs of concept or exploitation in the wild. Still, it should be patched as a priority, he says.
CVE-2022-21907 and CVE-2022-21840
Greg Wiseman, product manager at Rapid7, says the worst vulnerability in the lot is CVE-2022-21907, which affects the Windows HTTP protocol stack. Although Microsoft considers it potentially wormable, he says, similar vulnerabilities - such as CVE-2021-31166 - have not proven to be wormable.
Wiseman says CVE-2022-21840 affects all supported versions of Microsoft Office as well as Sharepoint Server. "Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website, Thankfully, the Windows preview pane is not a vector for this attack," he says.
Zero Day Initiative's Childs says there are multiple patches to address this bug, unless you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, which have no patches available. "Let’s hope Microsoft makes these patches available soon," he says.
The trio of remote code execution vulnerabilities tracked as CVE-2022-21846, CVE-2022-21855 and CVE-2022-21969 each received a 9 out of 10 CVSS score. They affect Microsoft Exchange Server. All these vulnerabilities were reported by three separate researchers, including the National Security Agency.
"An important caveat is that they are listed as 'network adjacent,' suggesting an attacker must already have access to the local network via an existing compromised host," Breen says. "Attacks attempting to exploit this component would form part of the lateral movement phases, rather than the initial infection vector."
He says this is not the first time exploits or patches have affected Microsoft Exchange Server; the Hafnium APT group used a collection of exploits to do that in January 2021.
CVE-2022-21912 and CVE-2022-21898 affect DirectX Graphics. CVE-2022-21917 is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched, but some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates, Wiseman says.
Microsoft's latest batch of patch releases includes six publicly disclosed zero-day vulnerabilities that reportedly are not currently under exploitation.
CVE-2022-21919 is a Windows user profile service elevation of privilege vulnerability that affects Windows 7 and server 2008 and later versions of the Windows operating system.
In an analysis shared with ISMG, Tyler Reguly, manager of security research and development at Tripwire, says that this vulnerability was a bypass to CVE-2021-34484, released by researcher Abdelhamid Naceri (see: Report: No Patch for Microsoft Privilege Escalation Zero-Day).
"The researcher first tweeted about the bypass on Oct. 22 and shared links to a proof of concept. According to Naceri, the initial fix only removed CDirectoryRemove based on the original proof of concept that was provided. It did not resolve the underlying issue, which has been fixed with today’s update," Reguly says.
CVE-2021-36976 is a Libarchive remote code execution vulnerability that describes an issue in the libarchive library, which is used by Windows. Reguly says that the vulnerability was found by OSS-Fuzz in March 2021 and disclosed in June 2021.
CVE-2022-21836 is a Windows certificate spoofing vulnerability that was first disclosed in a blog post from Eclypsium on Sept. 23, 2021.
This vulnerability can be exploited using expired and revoked certificates, which could be used to bypass binary verification in the Windows Platform Binary Table.
"Microsoft has resolved a spoofing vulnerability in Windows Certificates affecting Windows 7 and server 2008 and later versions of the Windows OS and has added those certificates to the Windows kernel driver block list, driver.stl. Certificates on the driver.stl will be blocked even if present in the Windows Platform Binary Table," says Chris Goettl, vice president of product management at Ivanti.
CVE-2022-21839 is a Windows event tracing discretionary access control list, or DACL, denial-of-service vulnerability that affects Windows 10 1809 and Server 2019 versions of the Windows OS.
Reguly says DACLs are access control lists that identify who can access a Windows object and if the object does not have a DACL, the system will provide everyone access to it.
CVE-2022-21874 is a Windows security center API remote code execution vulnerability that exists within the Windows Security Center API. It affects Windows 10 and Server 2016 and later versions of the Windows OS. The local vulnerability requires user interaction but could allow for a full compromise of confidentiality, integrity and availability, Reguly tells ISMG.
CVE-2021-22947 is an open-source curl remote code execution vulnerability that was first introduced in 2009 and fixed in September 2021. The vulnerability affects Windows 10 and Server 2019 and later versions of the Windows OS.
Reguly says it is a "man in the middle" flaw, in which traffic not protected by TLS can be injected into communication between the client and server that will be processed by curl as if it came from a TLS-protected connection.