Skip to main content

Microsoft Patch Tuesday: A ‘Unusually Large Patch Release

Table of Contents

Application Security, Governance & Risk Management, Incident & Breach Response.

122 CVEs, including 96 New, 9 Critical, and 6 Zero-Days Prajeet Nair (@prajeetspeaks). * January 12, 2022, Microsoft Patch Wednesday: An ‘Unusually Large’ Patch Release.

Microsoft released Tuesday its first rollout of 2022 patches. It covers 96 CVEs plus 24 CVEs that were patched earlier in the month by Microsoft Edge (Chromium-based), and two CVEs that were previously fixed in open-source projects. There are now 122 CVEs in January. Nine of these CVEs are considered critical in severity while 89 are important. Six are also zero-day vulnerabilities.

The Toll of Identity Sprawl in the Complex Enterprise

“This is a very large update for January. Dustin Childs, Zero Day Initiative’s Dustin Childs, says that over the past few years the average January patch release has been about half as many.

Tuesday’s update addresses privilege escalation flaws and remote code execution exploits. It also fixes spoofing issues and information disclosure vulnerabilities in Microsoft Windows, Windows Components and Microsoft Edge (Chromium-based), Exchange Server, and Microsoft Office and Office Components.

Microsoft released a workaround earlier this month to correct a fatal error in email delivery that was caused by a date check failure due to the change of the years to 2022. (see: Microsoft Exchange Fixes the Disruptive “Y2K22” Bug).

Log4j – Stress Relief

Bharat Jogi is Qualys’ director of vulnerability research and threat analysis. He says Microsoft’s monster Patch Tuesday occurs during chaos in the security sector as professionals work overtime on Log4Shell (or the Apache Log4j vulnerability) which is reportedly one of the most serious vulnerabilities in recent decades.

Jogi tells ISMG that unpredictable events like Log4Shell can add stress to security professionals who have to deal with these outbreaks. This makes it imperative to keep an automated inventory of all items used by organizations in their environment. Security professionals should automate the deployment of patches for events according to a set schedule, such as MSFT Patch Tuesday. This will allow them to focus on responding to unpredictable events efficiently.

Notable Vulnerabilities CVE-2022-21907

CVE-2022-21907 is a remote code execution vulnerability in the HTTP protocol stack. It has a CVSS score of 9.8 out of 10. An attacker could use this bug to execute code on affected systems by sending specially crafted packets. This vulnerability is available to all systems that utilize the HTTP Protocol Stack (http.Sys).

“A wormable bug is one that requires no user interaction, does not require privileges, and has an elevated service. This bug is more server-centric than usual, but Windows clients can run HTTP.Sys as well, so it affects all versions. Childs states that the patch can be quickly deployed and tested.

“Kev Breen, Immersive Labs’ director of cyber threat analysis, says that wormable nature has been labeled as more likely to exploit. Breen claims that Windows Server 2019 and Windows 10 Version 1809 are not automatically vulnerable. They require a registry key to make them vulnerable.

Breen says that, if the affected version is not available for patching immediately, the Microsoft advisory can be used to apply the mitigation. He advises that you always verify the potential impact on any business-critical applications before applying mitigation.

Chris Morgan, senior analyst in cyberthreat intelligence at Digital Shadows, said that this vulnerability is alarming, but there are no working proofs or exploitable wild evidence. He says that it should be addressed as a top priority.

CVE-2022-21907 & CVE-2022-21840

CVE-2022-21907 is the most serious vulnerability, according to Rapid7’s product manager Greg Wiseman. It affects the Windows HTTP protocol layer. Microsoft believes it is potentially wormable. However, similar vulnerabilities, such as CVE-2021-3166, have not been proven to be wormable.

Wiseman states that CVE-2022-21840 is a vulnerability in all versions of Microsoft Office and Sharepoint Server. He says that to exploit the vulnerability, one would need to use social engineering to get a victim to open an attachment or go to a malicious site. Fortunately, the Windows preview pane does not provide this opportunity.

Childs of Zero Day Initiative says that there are several patches to fix this bug unless your computer is running Office 2019 for Mac or Microsoft Office LTSC For Mac 2021. These versions have no patches. He says, “Let’s all hope Microsoft makes these patches available soon.”

RCE Vulnerabilities

 

CVE-2022-221846, CVE-2022-221855, and CVE-2022-221969 were all remote code execution vulnerabilities. Each received a CVSS score of 9/10. These vulnerabilities affect Microsoft Exchange Server. These vulnerabilities were discovered by three different researchers, including the National Security Agency.

Breen states that “An important caveat is that they’re listed as ‘network-adjacent,’ which means an attacker must have access to the local networks via an existing compromised host.” “Attacks to exploit this component would be part of the phases of the lateral movement, not the initial infection vector.”

He claims that this isn’t the first time Microsoft Exchange Server has been affected by exploits or patches. In fact, the Hafnium APT team used a number of exploits in January 2021.

Other vulnerabilities

DirectX Graphics are affected by CVE-2022-291912 and CVE-2022-2898. CVE-2022-21917 refers to a vulnerability in Windows Codecs Library. While most systems should be patched automatically, Wiseman states that some organizations may have the vulnerable codec installed on their gold images. This could disable Windows Store updates.

Zero-Days

Microsoft’s most recent patch release includes six zero-day vulnerabilities, which were publicly disclosed by Microsoft. These vulnerabilities are not currently being exploited.

CVE-2022-21919

CVE-2022-2191919 is a Windows user profile vulnerability that allows for the elevation of privilege. It affects Windows 7 as well as server 2008, and later Windows versions.

An analysis shared by ISMG shows that Tyler Reguly (manager of security research at Tripwire) said this vulnerability was a bypass for CVE-2021-34484 released by researcher Abdelhamid Naci (see Report: No Patch to Microsoft Privilege Escalation Zero Day).

“The bypass was first reported by the researcher on October 22. He shared links to proof of concept. Naceri claims that the initial fix to CDirectoryRemove only removed it based on the proof of concept. Reguly states that it did not fix the underlying problem.

CVE-2021-36976

CVE-2021-36976 describes a Libarchive remote execution vulnerability. It involves an issue in the libarchive program, which Windows uses. Reguly states that the vulnerability was discovered by OSS-Fuzz on March 2021, and reported to Microsoft in June 2021.

CVE-2022-21836

CVE-2022-21836, a Windows certificate spoofing vulnerability, was first reported by Eclypsium in a blog post on September 23, 2021.

This vulnerability could be exploited by using expired or revoked certificates, which could be used for bypassing binary verification in Windows Platform Binary Table.

“Microsoft has fixed a spoofing vulnerability that affected Windows Server 2008 and Windows 7 as well as server 2008, and later Windows OS versions,” says Chris Goetttt. He has also added the certificates to the Windows kernel block list, driver.Stl. “Certificates on the driver.Stl” will be blocked, even if they are present in the Windows Platform Binary Table,” Chris Goettl (Vice President of Product Management at Ivanti).

CVE-2022-21839

CVE-20222-21839 refers to a Windows event that traces discretionary access control lists, or DACL denial-of-service vulnerability. It affects Windows 10 1809, and Server 2019 versions.

Reguly explains that DACLs are access control lists that identify who can access Windows objects and if an object doesn’t have a DACL, it will give everyone access.

CVE-2022-21874

CVE-2022-21874 refers to a remote code execution vulnerability in the Windows Security Center API. This vulnerability affects Windows 10 and Server 2016 as well as later Windows OS versions. Reguly informs ISMG that the vulnerability is local and requires user interaction. However, it could lead to a complete compromise of confidentiality integrity, and availability.

CVE-2021-22947

CVE-2021-22947, an open-source vulnerability in remote code execution using curl, was first discovered in 2009. It was fixed in September 2021. This vulnerability affects Windows 10/Server 2019 and later Windows OS versions.

Reguly claims it’s a “man-in-the-middle” flaw. Traffic that isn’t protected by TLS can be infected by communication between client and server. This traffic will then be processed by curl as it came from TLS-protected connections.

more information : venmo

Comments

Popular posts from this blog

Zooqle (2022) – Largest Website For Downloading Torrents Files

Torrenting Websites Here’s a new list of the most popular torrent hotspots right now. TorLock is a fast web-based BitTorrent search engine that shows just torrents of search. We have produced a list of the finest torrent video sites to allow the viewing of torrents online along similar lines! You also have to use it without Utorrent to examine data and download torrents via HTTP (IDM). Virtual Private Networks, or VPNs, jumble your site visitors’ data and route it via their own employees. Find below some steps to download torrent files through Zoogle. 01Torrent is a free torrent service where users can download the latest movies, music, TV programs, capacities, games, books, anime, programming projects, and much more. This website also does not require registration to use. RARBG is a website where you may search for torrents to download media files such as movies, TV shows, and programming, as well as music, capacities, books, and a variety of other things...

How to Fix “PAGE FAULT IN NONPAGED AREA”?

 In the Windows operating system, the nonpaged area is a particular part of the memory that contains critical files your computer needs in order to function properly. These critical files are stored in the nonpaged area so that the RAM won’t keep switching them back and forth between itself and the paged area. If there happens to be an issue with this part of the RAM, the system runs into a PAGE-FAULT_IN_NONPAGED_AREA error and shows a BSOD (blue screen of death).  In today’s blog post, we will be covering how you can fix this issue and what are the different reasons which cause a Nonpaged Area error. So let’s begin. Reasons for Page Fault in Nonpaged Area Error This error typically occurs when a system is unable to access a specific page of memory that should be present in non-paged pool memory.  This can be caused by a variety of issues such as: Issues with device drivers. Problems with the system's physical memory. Conflicts with the system's virtual memory ma...

Creating a video player app using React Native framework

If you are on a journey to learning the full utility of React Native framework, you must know the use of the expo-av React Native package in creating a video player app. Here, you will also get the code snippets and the steps of running the project on a virtual device. So, let’s get into this journey. Table of Contents What are the prerequisite criteria? Installing expo-av package as dependencies Creating the codebase for the project Testing the app on the virtual device What are the prerequisite criteria? The first criterion that you have to meet is to set up your development system and get all the required software installed in your system. This is a common practice that every developer of  React Native app development company  engages with before starting off their development journey with the React Native framework. If you are using the React Native framework for the first time, you should not skip this installation step. However, if this setup is already done in your syst...