9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes across its software ecosystem, while urging customers to prioritize patching for what it calls a critical โwormableโ vulnerability.
Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.
The patches cover a swath of the computing giantโs portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).
Chief among them is CVE-2022-21907 (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. โIn most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,โ Microsoft noted in its advisory.
Russian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that itโs wormable, meaning no user interaction is necessary to trigger and propagate the infection.
โAlthough Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts,โ Danny Kim, principal architect at Virsec, said.
Microsoft also resolved six zero-days as part of its Patch Tuesday update, two of which are an integration of third-party fixes concerning the open-source libraries curl and libarchive.
Another critical vulnerability of note concerns a remote code execution flaw (CVE-2022-21849, CVSS score: 9.8) in Windows Internet Key Exchange (IKE) version 2, which Microsoft said could be weaponized by a remote attacker to โtrigger multiple vulnerabilities without being authenticated.โ
On top of that, the patch also remediates a number of remote code execution flaws affecting Exchange Server, Microsoft Office (CVE-2022-21840), SharePoint Server, RDP (CVE-2022-21893), and Windows Resilient File System as well as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among others.
Itโs worth stressing that CVE-2022-21907 and the three shortcomings uncovered in Exchange Server (CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969, CVSS scores: 9.0) have all been labeled as โexploitation more likely,โ necessitating that the patches are applied immediately to counter potential real-world attacks targeting the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.
โThis massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell โ reportedly the worst vulnerability seen in decades,โ Bharat Jogi, director of vulnerability and threat Research at Qualys, said.
โEvents such as Log4Shell [โฆ] bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment,โ Jogi added, stating โIt is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk.โ
Besides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting โ
Found this article interesting? Follow THN on Facebook, Twitter ๏ and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C