For this month of January 2022, Microsoft has filled nearly a hundred vulnerabilities which is an unusual volume for this time of year. Among them 9 are classified as so critical.
If this month of January gives the La in terms of volume of tuesday patches to come for the rest of the year, we will have to expect heavy. Indeed, to start 2022, Microsoft has published a very large burst of fixes, no less than 97. And this, in addition to the 24 CVE corrected at the beginning of the month for the Edge browser and 2 others relating to open source projects. Among the components that benefit from these security updates we find Windows, Sharepoint, Dynamics, Hyper-V, Defender… Usually in January, the average of the vuln of the tuesday patch is more of the order of quarantine.
Of the 97 blocked security holes, 9 are classified as critical and 88 of a severity level considered important. Several therefore require special attention, such as CVE-2022-21907 which can lead to remote code execution based on HTTP Protocol Stack (http.sys). “No user interaction and no privileges are required for this bug which can be exploited as a worm,” Zero Trust Initiative warned. “While this is much more server-centric, keep in mind that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this hotfix quickly ”.
Spoiled Exchange and Office
The problem with loading messages into the Exchange mail server brightened the evenings and weekends for many system and network administrators a few days ago. But that’s not all because this solution was also exposed to security risks which made the Redmond firm react. Three gaps were thus filled, including CVE-2022-21846, classified as critical, also leading to remote code execution. We will also note the RCE flaw affecting Office (CVE-2022-21840) with a level of severity considered severe. Note that users of 2019 for Mac and LTSC for Mac 2021 versions must wait to have this fix available. Also pay attention to CVE-2022-21857 which does not usually lead to elevation of privileges affecting Active Directory domains.
“This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust limit under certain conditions. Although privilege escalations generally assign a severity rating of High, Microsoft has deemed the flaw sufficient for a rating of Critical. This requires a certain level of privilege, so again, an insider or another attacker with a foot in a network could use it for lateral movement and maintain a presence within a company, ”Zero Day Initiative warned. .