The first Windows security Patch Tuesday of 2022 is here, and it opens the year with a bit of a bang. Microsoft fixed a total of 96 new CVEs in today’s patch release. In comparison, that number was 67 in the last Patch Tuesday. In fact, this is an unusually large patch release volume for January. January has had the lowest number of CVEs patched in a batch release for the last couple of years — typically about half as many as those fixed today. Plus, this is a long way from the relatively small Patch Tuesday releases we saw throughout 2021.
Browse our blog for Patch Tuesday patch reviews from previous months.
And that’s not the whole picture either. Earlier this month, Microsoft patched a total of 24 vulnerabilities in Microsoft Edge (Chromium-based), and two more CVEs were fixed in independent open-source projects. This brings the total number of CVEs fixed in January (so far) to 122.
Of the 98 patches released today (including the two patches released earlier in open-source projects), nine were rated Critical, and the remaining 89 were rated Important. Also, among these were patches for six publicly known zero-day bugs. Here are the main highlights of the patches released this Tuesday:
The Six Zero-Day Fixes
Microsoft fixed six zero-days today. Although they were all publicly disclosed, luckily, there were no reports of any wild exploits before the patch release. However, all the zero-days’ proof-of-concept exploits are already available, so threat actors might soon exploit vulnerable systems that remain unpatched. The zero-days are tracked as:
- CVE-2022-21839: Windows Event Tracing Discretionary Access Control List DoS. (CVSS 6.1, Important).
- CVE-2022-21836: Windows Certificate spoofing CVE. (CVSS 7.8, Important).
- CVE-2022-21919: Windows User Profile Service Elevation of Privilege flaw. (CVSS 7, Important).
- CVE-2022-21874: A local Windows Security Center API RCE vulnerability. (CVSS 7.8, Important).
- CVE-2021-36976: MITRE assigned CVE: An open-source Libarchive RCE bug. (Important).
- CVE-2021-22947: HackerOne assigned CVE: An open-source Curl RCE. (Critical)
Libarchive CVE-2021-36976 and Curl CVE-2021-22947 bugs were actually fixed earlier this month by their respective maintainers, but it’s only now that Microsoft included them in an official patch rollout.
Other CVEs Worth Mentioning
CVE-2022-21857 – Active Directory Domain Services EoP Vulnerability: This scores an 8.8 CVSS with a Critical rating. An attacker could get across Active Directory’s trust borders through this flaw. Although the attack complexity is low, Microsoft says an exploit is less likely. This is because the attacker needs to have already gained access to the network to exploit the CVE for lateral movement.
CVE-2022-21907 – HTTP Protocol Stack RCE: With a 9.8 CVSS score, this critical vulnerability could allow an attacker to run code on an affected system by utilizing http.sys to send specially crafted packets. Such an exploit would not require user interaction or privileged access to the system.
CVE-2022-21840 – Microsoft Office RCE: This bug is rated Critical with an 8.8 CVSS score, unusual for a Microsoft Office CVE. According to Microsoft, the Preview Pane is not an attack vector in this case, but the lack of warning dialogs when launching malicious files makes the vulnerability dangerous. There are several patches for this flaw, depending on the Office version. But as of today, there are no available patches for Microsoft Office LTSC for Mac 2021 or Office 2019 for Mac.
This concludes our brief overview of January’s Microsoft security updates Patch Tuesday. Read this month’s Patch Tuesday release notes to get the complete Microsoft Patch Tuesday list and more information on the CVEs addressed today.
The next Patch Tuesday falls on February the 8th, so stay tuned for more Microsoft Patch Tuesday news and updates in the coming month.
And remember, Action1 can help you solve any Microsoft Patch Tuesday issues, from sourcing and installing patches to managing patch compatibility. We also provide patch automation solutions to streamline patching on multiple Windows systems, including remote servers and endpoints. Try our patch management system today and sample unmatched patching efficiency, speed, and freedom.