Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes throughout its software ecosystem, although urging buyers to prioritize patching for what it phone calls a critical “wormable” vulnerability.
Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Essential in severity, with six zero-working day publicly known at the time of the launch. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are detailed as beneath attack.
The patches cover a swath of the computing giant’s portfolio, such as Microsoft Windows and Windows Elements, Trade Server, Microsoft Place of work and Business Elements, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Resource Software program, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).
Main among them is CVE-2022-21907 (CVSS rating: 9.8), a distant code execution vulnerability rooted in the HTTP Protocol Stack. “In most scenarios, an unauthenticated attacker could mail a specially crafted packet to a targeted server using the HTTP Protocol Stack (http.sys) to process packets,” Microsoft noted in its advisory.
Russian security researcher Mikhail Medvedev has been credited with finding and reporting the mistake, with the Redmond-based mostly business stressing that it is wormable, indicating no consumer interaction is necessary to induce and propagate the an infection.
“Even though Microsoft has supplied an formal patch, this CVE is a further reminder that computer software features permit chances for attackers to misuse functionalities for destructive functions,” Danny Kim, principal architect at Virsec, said.
Microsoft also resolved 6 zero-times as portion of its Patch Tuesday update, two of which are an integration of 3rd-party fixes regarding the open up-resource libraries curl and libarchive.
- CVE-2021-22947 (CVSS score: N/A) – Open-Source curl Remote Code Execution Vulnerability
- CVE-2021-36976 (CVSS score: N/A) – Open up-supply libarchive Distant Code Execution Vulnerability
- CVE-2022-21836 (CVSS rating: 7.8) – Windows Certificate Spoofing Vulnerability
- CVE-2022-21839 (CVSS rating: 6.1) – Windows Function Tracing Discretionary Accessibility Handle List Denial of Service Vulnerability
- CVE-2022-21874 (CVSS score: 7.8) – Windows Security Heart API Remote Code Execution Vulnerability
- CVE-2022-21919 (CVSS rating: 7.) – Windows Person Profile Support Elevation of Privilege Vulnerability
A further critical vulnerability of be aware issues a remote code execution flaw (CVE-2022-21849, CVSS score: 9.8) in Windows Internet Crucial Trade (IKE) model 2, which Microsoft said could be weaponized by a remote attacker to “trigger multiple vulnerabilities without the need of getting authenticated.”
On major of that, the patch also remediates a variety of remote code execution flaws influencing Exchange Server, Microsoft Place of work (CVE-2022-21840), SharePoint Server, RDP, and Windows Resilient File Method as well as privilege escalation vulnerabilities in Energetic Directory Area Products and services, Windows Accounts Manage, Windows Cleanup Supervisor, and Windows Kerberos, among other people.
It is really worth stressing that CVE-2022-21907 and the three shortcomings uncovered in Exchange Server (CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969, CVSS scores: 9.) have all been labeled as “exploitation much more likely,” necessitating that the patches are applied instantly to counter possible real-entire world attacks targeting the weaknesses. The U.S. National Security Company (NSA) has been acknowledged for flagging CVE-2022-21846.
“This significant Patch Tuesday comes throughout a time of chaos in the security field whereby gurus are doing work extra time to remediate Log4Shell — reportedly the worst vulnerability noticed in decades,” Bharat Jogi, director of vulnerability and danger Investigation at Qualys, mentioned.
“Situations these as Log4Shell […] provide to the forefront the importance of getting an automated stock of all the things that is utilized by an business in their ecosystem,” Jogi additional, stating “It is the want of the hour to automate deployment of patches for occasions with defined schedules (e.g., MSFT Patch Tuesday), so security experts can focus electrical power to answer successfully to unpredictable events that pose dastardly risk.”
Software Patches from Other Suppliers
Apart from Microsoft, security updates have also been released by other vendors to rectify numerous vulnerabilities, counting —
- Google Chrome
- Linux distributions Oracle Linux, Crimson Hat, and SUSE
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electric
- VMware, and
Found this article fascinating? Stick to THN on Facebook, Twitter and LinkedIn to study a lot more special content material we post.
Some parts of this article are sourced from: