News

Microsoft Issues January Security Patches Addressing 97 Vulnerabilities

• By Kurt Mackie
• 01/11/2022

Microsoft on Tuesday released January security patches addressing near 100 common vulnerabilities and exposures (CVE) in various software products.

Security researchers don't exactly agree on the patch count, with estimates ranging from 96 or 97 new fixes, or even 120 vulnerabilities in total getting addressed. Microsoft, as usual, doesn't count its patches.

Microsoft's official guidance is its voluminous "Security Update Guide" for January. Patches were released for .NET Framework, Microsoft Dynamics, the Chromium-based Microsoft Edge browser, Office apps, Windows and Windows components, plus much more, per the guide's "Release Notes" page.

It's now possible to sign up to get updates on any changes made to Microsoft's released patches. Details are described in this Microsoft Security Response Center blog post.

Of the patch bundle this month, nine CVEs are deemed to be "Critical" by security researchers, with 89 considered "Important." Six of the CVEs were publicly known about before Microsoft's "update Tuesday" patch release, according to a tally kept by Justin Childs of Trend Micro's Zero Day Initiative in this post.

Critical Vulnerabilities
Of the nine Critical vulnerabilities getting patches this month, one sticks out as being particularly noteworthy by security researchers. It's CVE-2022-21907, described as a remote code execution (RCE) vulnerability in the HTTP Protocol Stack.

CVE-2022-21907, with a Common Vulnerability Scoring System (CVSS) score of 9.8 (out of 10), affects Windows 10, Windows 11 and server products from Windows Server 2019 and newer. Attackers have to send a "specially crafted packet to a targeted server" but once the attack is carried out, it's deemed to be a "wormable" exploit by Microsoft, meaning that it can spread across systems.

The CVE-2022-21907 vulnerability exists because attackers can abuse ancillary software functionalities, according to Danny Kim, a principal architect at Virsec, via e-mail:

The CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially-crafted message that can lead to remote code execution. Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts.

Organizations can better protect themselves from such software exploits by having real-time monitoring solutions in place, Kim suggested.

Here are the other Critical-rated vulnerabilities, on top of CVE-2022-21907, in Microsoft's January bundle:

• CVE-2021-22947, an RCE vulnerability in the open source curl library used by Windows systems, which was publicly known before Microsoft's disclosure.
• CVE-2022-21857, an elevation of privilege (EoP) vulnerability associated with Active Directory Domain Services use on Windows Server, from Windows Server 2016 and below products (CVSS 8.8).
• CVE-2022-21912, an RCE vulnerability in the DirectX graphics kernel (CVSS 7.8).
• CVE-2022-21898, another RCE vulnerability in the DirectX graphics kernel (CVSS 7.8).
• CVE-2022-21917, an RCE vulnerability in High Efficiency Video Coding (HEVC) video extensions (CVSS 7.8).
• CVE-2022-21846, an RCE vulnerability in Exchange Server (CVSS 9.0).
• CVE-2022-21840, an RCE in Microsoft Office (CVSS 8.8).
• CVE-2022-21833, an EoP vulnerability in the "virtual machine IDE drive" on Windows systems (CVSS 7.8).

Security Analyst Comments
This month's patch count was viewed as being somewhat high for a January month. Childs noted that January patch releases by Microsoft usually bring "about half this volume."

Security solutions firm Automox suggested at its summary page that Microsoft's January patch release was higher than average in terms of the Critical vulnerabilities getting patches:

January's 9 critical vulnerabilities is slightly higher than last year's monthly average of 8.4 and it represents the highest monthly total since July 2021. Fortunately, Microsoft did not have any exploited vulnerabilities to report for this month.

More update Tuesday comments from Automox security experts can be found in this Automox post.

Overall, the vulnerabilities exposed with this month's update Tuesday release often depend on attackers having a foothold in a system beforehand, explained Greg Wiseman, a product manager at security solutions firm Rapid7, via e-mail. The vulnerabilities may not be as "scary" as their CVSS scores might suggest, he noted:

The worst of these is CVE-2021-21907, affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially "wormable" by Microsoft, similar vulnerabilities have not proven to be wormable (for example CVE-2021-31166).

The Critical vulnerability (CVE-2022-21840) in Office and SharePoint Server would "require social engineering to entice a victim to open an attachment or visit a malicious website" and the preview pane is not affected, Wiseman noted. He also explained that the Exchange Server vulnerabilities (CVE-2022-21846 and CVE-2022-21855) cannot be exploited remotely using the Internet as the attacker first needs to be "adjacent to the target system in terms of network topology."

There are actually three Exchange vulnerabilities this month, with one of the discoveries credited to the U.S. National Security Agency, noted Satnam Narang, staff research engineer at Tenable, in e-mailed comments:

Microsoft patched three remote code execution vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855). All three are rated as "exploitation more likely." One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency. Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.

In general, Wiseman recommended that organizations should "prioritize patching servers (Exchange, SharePoint, Hyper-V, and IIS) followed by web browsers and other client software."

Automox in its comments section recommended ensuring that all Critical vulnerabilities get patched "within a 72 hour window." Automox also reminded organizations that the Log4Shell vulnerability in Apache Web servers, which made a big splash last month, is still a "concern for many organizations." Automox recently posted a 15-minute video on the topic, called "Apache Log4j and the Log4Shell Vulnerability," which offers background info and remediation steps.

Other Update Tuesday Concerns
On top of Microsoft's update Tuesday patch release, January patches were released by Adobe, Mozilla, Samba and SAP. Google had released Chrome browser patches last week.

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency, in conjunction with the Federal Bureau of Investigation and the National Security Agency, issued an overview on Tuesday describing "Russian state-sponsored cyber operations."

The overview links to this "Alert" article, which describes the specific vulnerabilities that are currently being leveraged by attackers said to be affiliated with Russia. The products under attack include FortiGate VPNs, Cisco routers, Oracle WebLogic Server, Citrix products, Microsoft Exchange and VMware products (and much more).