Microsoft’s first batch of updates for 2022 began on Tuesday, correcting 96 security flaws across its software ecosystem and advising consumers to prioritise patching for a severe “wormable” vulnerability. Nine of the 96 vulnerabilities are rated Critical, while the remaining 89 are rated Important, with six zero-day vulnerabilities publicly disclosed at the time of the release.
In addition, Microsoft Edge was fixed for 29 problems on January 6, 2022. There is no indication that any of the disclosed bugs are under attack.
Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server,.NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop are all affected by the fixes.
Microsoft’s Patch Tuesday release also fixed six zero-day vulnerabilities, two of which were due to the incorporation of third-party solutions for the open-source libraries curl and libarchive.
- CVE-2021-22947 (CVSS score: N/A) – Open-Source curl Remote Code Execution Vulnerability
- CVE-2021-36976 (CVSS score: N/A) – Open-source libarchive Remote Code Execution Vulnerability
- CVE-2022-21836 (CVSS score: 7.8) – Windows Certificate Spoofing Vulnerability
- CVE-2022-21839 (CVSS score: 6.1) – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
- CVE-2022-21874 (CVSS score: 7.8) – Windows Security Center API Remote Code Execution Vulnerability
- CVE-2022-21919 (CVSS score: 7.0) – Windows User Profile Service Elevation of Privilege Vulnerability
In addition, the patch fixes a number of remote code execution flaws in Exchange Server, Microsoft Office (CVE-2022-21840), SharePoint Server, RDP, and Windows Resilient File System, as well as privilege escalation flaws in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among other things.
It’s worth noting that CVE-2022-21907, as well as the three flaws discovered in Exchange Server (CVE-2022-21846, CVE-2022-21855 and CVE-2022-21969, all with CVSS scores of 9.0), have all been classified as “exploitation more likely,” necessitating immediate patching to prevent real-world attacks exploiting the flaws. The National Security Agency (NSA) of the United States has been credited with detecting CVE-2022-21846.
Besides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting —
- Google Chrome
- Linux distributions Oracle Linux, Red Hat, and SUSE
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electric
- VMware, and
Finally Bharat Jogi, director of vulnerability and threat Research at Qualys concluded that, “This big Patch Tuesday comes at a time when professionals are working overtime to patch Log4Shell — reportedly the worst vulnerability seen in decades. Log4Shell bring the importance of having an automated inventory of everything that an organisation uses in their environment, It is the need of the hour to automate patch deployment for events with defined schedules, so security professionals can focus their energy on responding quickly to unpredictable events that pose a risk.“