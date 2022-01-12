



Microsoft today released the first patch Tuesday rollout for 2022. This fixes 96 CVEs. Nine of the vulnerabilities are called critical and six are publicly known, but none have been described as being under active attack.

Products affected by this month’s release include Microsoft Windows, Edge Browser (Chrome Base), Exchange Server, Microsoft Office, Microsoft Dynamics, .NET Framework, Open Source Software, Windows Defender, Windows Hyper-V, and Remote Desktop Protocols. It is included. ..

This is an “abnormally large” rollout of Microsoft’s first patch of the year, and Trend Micro’s Zero-day initiative Dustin Childs said in a blog post about today’s patch. “In the last few years, the average number of patches released in January is about half this amount,” he said. This is also a notable change from a small update release that occurred at the end of 2021.

Today’s release contains several vulnerabilities that are worth prioritizing and paying close attention to. One of these is CVE-2022-21907. This is a flaw in the HTTP Protocol Stack Remote Code Execution (RCE), where an attacker sends a specially crafted packet to the target server to process the packet using the HTTP Protocol Stack (http.sys). It can be abused. Microsoft states that this vulnerability is worm-capable.

“CVE is targeted for HTTP trailer support, allowing senders to provide metadata with additional fields in their messages by providing specially crafted messages that can lead to remote code execution. “I will,” said Danny Kim, Virsec’s chief architect. The attack is less complex, unprivileged, and requires no user intervention. Users are encouraged to apply the patch immediately.

Also important are the three remote code execution vulnerabilities patched in Microsoft Exchange Server. CVE-2022-21846 is considered critical and both CVE-2022-21969 and CVE-2022-21855 are classified as critical. All three vulnerabilities are less complex, require no privileges, and require no user interaction to exploit. Microsoft classifies them all as “highly likely to be abused.”

NSA Report OneOne These deficiencies (CVE-2022-21846) have been disclosed to Microsoft by the National Security Agency. Although the CVSS score is high at 9.0, Microsoft pointed out that there is an “adjacent” attack vector for this issue. That is, it cannot be exploited across the Internet, but it must associate something specific with the target, such as the same shared physical or logical network. .. This means that unlike the ProxyLogon and ProxyShell bugs, it requires more effort for the attacker.

One of the critical vulnerabilities worth seeing is CVE-2022-21840. This is a serious RCE flaw in Microsoft Office that reduces complexity and does not require privileges. According to Microsoft, the preview pane is not an attack vector here, but the exploit requires user interaction. In an email attack scenario, an attacker could send a specially crafted file to the victim and convince the victim to open it. In web-based scenarios, an attacker could host a website (or use a compromised website that accepts or hosts user-supplied content) that contains files specially crafted to exploit the bug. There is sex.

Organizations running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 unfortunately have to wait for updates as patches are not yet available. According to Microsoft, customers will be notified when a CVE revision is available.

The six publicly known issues patched today include the open source curl RCE vulnerability (CVE-2021-22947) and the Libarchive RCE vulnerability (CVE-2021-36976). CVE was previously released by a third party and is now included. For Microsoft products.

It also has a Windows Certificate Spoofing Vulnerability (CVE-2022-21836), a Windows Security Center API RCE Vulnerabilities (CVE-2022-21874), and a Windows User Profile Service Privilege Elevation Deficiency (CVE-2022-21919). ), And Windows are also publicly known. Any access control list denial of service vulnerability in Event Trace (CVE-2022-21839).

