Skip to main content

Microsoft Patch Tuesday: A ‘Unusually Large Patch Release

Table of Contents

Application Security, Governance & Risk Management, Incident & Breach Response.

122 CVEs, including 96 New, 9 Critical, and 6 Zero-Days Prajeet Nair (@prajeetspeaks). * January 12, 2022, Microsoft Patch Wednesday: An ‘Unusually Large’ Patch Release.

Microsoft released Tuesday its first rollout of 2022 patches. It covers 96 CVEs plus 24 CVEs that were patched earlier in the month by Microsoft Edge (Chromium-based), and two CVEs that were previously fixed in open-source projects. There are now 122 CVEs in January. Nine of these CVEs are considered critical in severity while 89 are important. Six are also zero-day vulnerabilities.

The Toll of Identity Sprawl in the Complex Enterprise

“This is a very large update for January. Dustin Childs, Zero Day Initiative’s Dustin Childs, says that over the past few years the average January patch release has been about half as many.

Tuesday’s update addresses privilege escalation flaws and remote code execution exploits. It also fixes spoofing issues and information disclosure vulnerabilities in Microsoft Windows, Windows Components and Microsoft Edge (Chromium-based), Exchange Server, and Microsoft Office and Office Components.

Microsoft released a workaround earlier this month to correct a fatal error in email delivery that was caused by a date check failure due to the change of the years to 2022. (see: Microsoft Exchange Fixes the Disruptive “Y2K22” Bug).

Log4j – Stress Relief

Bharat Jogi is Qualys’ director of vulnerability research and threat analysis. He says Microsoft’s monster Patch Tuesday occurs during chaos in the security sector as professionals work overtime on Log4Shell (or the Apache Log4j vulnerability) which is reportedly one of the most serious vulnerabilities in recent decades.

Jogi tells ISMG that unpredictable events like Log4Shell can add stress to security professionals who have to deal with these outbreaks. This makes it imperative to keep an automated inventory of all items used by organizations in their environment. Security professionals should automate the deployment of patches for events according to a set schedule, such as MSFT Patch Tuesday. This will allow them to focus on responding to unpredictable events efficiently.

Notable Vulnerabilities CVE-2022-21907

CVE-2022-21907 is a remote code execution vulnerability in the HTTP protocol stack. It has a CVSS score of 9.8 out of 10. An attacker could use this bug to execute code on affected systems by sending specially crafted packets. This vulnerability is available to all systems that utilize the HTTP Protocol Stack (http.Sys).

“A wormable bug is one that requires no user interaction, does not require privileges, and has an elevated service. This bug is more server-centric than usual, but Windows clients can run HTTP.Sys as well, so it affects all versions. Childs states that the patch can be quickly deployed and tested.

“Kev Breen, Immersive Labs’ director of cyber threat analysis, says that wormable nature has been labeled as more likely to exploit. Breen claims that Windows Server 2019 and Windows 10 Version 1809 are not automatically vulnerable. They require a registry key to make them vulnerable.

Breen says that, if the affected version is not available for patching immediately, the Microsoft advisory can be used to apply the mitigation. He advises that you always verify the potential impact on any business-critical applications before applying mitigation.

Chris Morgan, senior analyst in cyberthreat intelligence at Digital Shadows, said that this vulnerability is alarming, but there are no working proofs or exploitable wild evidence. He says that it should be addressed as a top priority.

CVE-2022-21907 & CVE-2022-21840

CVE-2022-21907 is the most serious vulnerability, according to Rapid7’s product manager Greg Wiseman. It affects the Windows HTTP protocol layer. Microsoft believes it is potentially wormable. However, similar vulnerabilities, such as CVE-2021-3166, have not been proven to be wormable.

Wiseman states that CVE-2022-21840 is a vulnerability in all versions of Microsoft Office and Sharepoint Server. He says that to exploit the vulnerability, one would need to use social engineering to get a victim to open an attachment or go to a malicious site. Fortunately, the Windows preview pane does not provide this opportunity.

Childs of Zero Day Initiative says that there are several patches to fix this bug unless your computer is running Office 2019 for Mac or Microsoft Office LTSC For Mac 2021. These versions have no patches. He says, “Let’s all hope Microsoft makes these patches available soon.”

RCE Vulnerabilities

 

CVE-2022-221846, CVE-2022-221855, and CVE-2022-221969 were all remote code execution vulnerabilities. Each received a CVSS score of 9/10. These vulnerabilities affect Microsoft Exchange Server. These vulnerabilities were discovered by three different researchers, including the National Security Agency.

Breen states that “An important caveat is that they’re listed as ‘network-adjacent,’ which means an attacker must have access to the local networks via an existing compromised host.” “Attacks to exploit this component would be part of the phases of the lateral movement, not the initial infection vector.”

He claims that this isn’t the first time Microsoft Exchange Server has been affected by exploits or patches. In fact, the Hafnium APT team used a number of exploits in January 2021.

Other vulnerabilities

DirectX Graphics are affected by CVE-2022-291912 and CVE-2022-2898. CVE-2022-21917 refers to a vulnerability in Windows Codecs Library. While most systems should be patched automatically, Wiseman states that some organizations may have the vulnerable codec installed on their gold images. This could disable Windows Store updates.

Zero-Days

Microsoft’s most recent patch release includes six zero-day vulnerabilities, which were publicly disclosed by Microsoft. These vulnerabilities are not currently being exploited.

CVE-2022-21919

CVE-2022-2191919 is a Windows user profile vulnerability that allows for the elevation of privilege. It affects Windows 7 as well as server 2008, and later Windows versions.

An analysis shared by ISMG shows that Tyler Reguly (manager of security research at Tripwire) said this vulnerability was a bypass for CVE-2021-34484 released by researcher Abdelhamid Naci (see Report: No Patch to Microsoft Privilege Escalation Zero Day).

“The bypass was first reported by the researcher on October 22. He shared links to proof of concept. Naceri claims that the initial fix to CDirectoryRemove only removed it based on the proof of concept. Reguly states that it did not fix the underlying problem.

CVE-2021-36976

CVE-2021-36976 describes a Libarchive remote execution vulnerability. It involves an issue in the libarchive program, which Windows uses. Reguly states that the vulnerability was discovered by OSS-Fuzz on March 2021, and reported to Microsoft in June 2021.

CVE-2022-21836

CVE-2022-21836, a Windows certificate spoofing vulnerability, was first reported by Eclypsium in a blog post on September 23, 2021.

This vulnerability could be exploited by using expired or revoked certificates, which could be used for bypassing binary verification in Windows Platform Binary Table.

“Microsoft has fixed a spoofing vulnerability that affected Windows Server 2008 and Windows 7 as well as server 2008, and later Windows OS versions,” says Chris Goetttt. He has also added the certificates to the Windows kernel block list, driver.Stl. “Certificates on the driver.Stl” will be blocked, even if they are present in the Windows Platform Binary Table,” Chris Goettl (Vice President of Product Management at Ivanti).

CVE-2022-21839

CVE-20222-21839 refers to a Windows event that traces discretionary access control lists, or DACL denial-of-service vulnerability. It affects Windows 10 1809, and Server 2019 versions.

Reguly explains that DACLs are access control lists that identify who can access Windows objects and if an object doesn’t have a DACL, it will give everyone access.

CVE-2022-21874

CVE-2022-21874 refers to a remote code execution vulnerability in the Windows Security Center API. This vulnerability affects Windows 10 and Server 2016 as well as later Windows OS versions. Reguly informs ISMG that the vulnerability is local and requires user interaction. However, it could lead to a complete compromise of confidentiality integrity, and availability.

CVE-2021-22947

CVE-2021-22947, an open-source vulnerability in remote code execution using curl, was first discovered in 2009. It was fixed in September 2021. This vulnerability affects Windows 10/Server 2019 and later Windows OS versions.

Reguly claims it’s a “man-in-the-middle” flaw. Traffic that isn’t protected by TLS can be infected by communication between client and server. This traffic will then be processed by curl as it came from TLS-protected connections.

more information : venmo

Comments

Post a Comment

Popular posts from this blog

What is the cost of Disney

 You might have heard about Disney Plus; this is itself a success story that has gained more than 118 million subscribers in just a two years. As you can see, it’s still growing, and the price is also pretty reasonable. It provides access to Walt Disney, Marvel Studio, Pixar, National Geographic, etc. Disney+ Hotstar is one of the best popular OTT services, which is against the player of Netflix and Amazon Prime Video. This streaming platform also provides live sports, including cricket and football. Subscription is very affordable where you can get access to the entire catalog. Now you might be thinking about which membership should pick; here we will discuss the best one for you. Disney+ Hotstar has two types of subscription plans VIP and Premium. This former offered access only for the dubbed and regional content, then later they have included all catalogues which even had US-based TV shows. This company has a VIP tier, which consists three types of plans with different price t...
Post a Comment
Read more

What to Do If Your iPhone Won’t Connect to a Network

There are a few different things that could be wrong if your iPhone suddenly stops receiving or making calls or displays an error message. There could be an issue with your mobile carrier’s service plan, a hardware malfunction with your phone, or an incorrectly adjusted setting causing your service problems. Issues that may cause your iPhone to report “No Service” Since there isn’t a single cause for an iPhone to say it has no service, you’ll have to do some troubleshooting, starting with the simplest and most plausible explanations. A simple adjustment to a setting, such turning on Airplane Mode or adjusting the carrier settings, can disrupt service. In rare instances, a software update from your cellular service provider is required to update the iPhone’s cellular settings. SIM card replacement and reset are less commonplace but still possible. Maybe there’s an issue with your cell phone service. How Do You Know Which iPhone to Buy? It’s worth trying a few fast fixes before d...
Post a Comment
Read more

Twitch.tv/activate – Steps For Activate Twitch TV

Twitch.tv/activate: The majority of the streaming media will be played on twitch. tv/activate website. You must create an account to live. If you don’t have a twitch. tv account, create one. All you have to do is go to the top of the page, click the tiny button, and type in any name and password you like. It scribbles whatever it wants. Fill in all of the required fields, create an account for yourself, and log in to your account. The next step is to speed up test.net and wait for the setup to finish. Make sure it’s set to 1000 bits, then save before returning to the home page and starting the speed test. Open a new tab, go to OBS type, Google OBS, go to OBS project.com, and click Download to make sure you have Windows or all of your operating systems. Table of Contents Features of Twitch TV Twitch. tv/activate – Get the Code How to Enter Twitch.tv/activate Code How To Activate A Twitch Account On Xbox One? How To Stream To Twitch On PlayStation 4 Features of ...
Post a Comment
Read more