Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes throughout its software ecosystem, although urging customers to prioritize patching for what it phone calls a critical “wormable” vulnerability.
Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Significant in severity, with 6 zero-day publicly regarded at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are detailed as beneath attack.
The patches include a swath of the computing giant’s portfolio, which include Microsoft Windows and Windows Components, Exchange Server, Microsoft Place of work and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open up-Source Software package, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).
Main among them is CVE-2022-21907 (CVSS rating: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. “In most cases, an unauthenticated attacker could mail a specifically crafted packet to a qualified server employing the HTTP Protocol Stack (http.sys) to course of action packets,” Microsoft observed in its advisory.
Russian security researcher Mikhail Medvedev has been credited with getting and reporting the mistake, with the Redmond-based mostly organization stressing that it can be wormable, which means no user interaction is essential to set off and propagate the infection.
“Despite the fact that Microsoft has offered an official patch, this CVE is an additional reminder that software package options enable opportunities for attackers to misuse functionalities for malicious functions,” Danny Kim, principal architect at Virsec, explained.
Microsoft also solved 6 zero-days as element of its Patch Tuesday update, two of which are an integration of third-social gathering fixes regarding the open-resource libraries curl and libarchive.
- CVE-2021-22947 (CVSS rating: N/A) – Open-Supply curl Distant Code Execution Vulnerability
- CVE-2021-36976 (CVSS score: N/A) – Open up-resource libarchive Distant Code Execution Vulnerability
- CVE-2022-21836 (CVSS rating: 7.8) – Windows Certification Spoofing Vulnerability
- CVE-2022-21839 (CVSS score: 6.1) – Windows Event Tracing Discretionary Access Regulate List Denial of Company Vulnerability
- CVE-2022-21874 (CVSS rating: 7.8) – Windows Security Middle API Remote Code Execution Vulnerability
- CVE-2022-21919 (CVSS rating: 7.) – Windows Person Profile Service Elevation of Privilege Vulnerability
A different critical vulnerability of be aware worries a remote code execution flaw (CVE-2022-21849, CVSS score: 9.8) in Windows Internet Key Exchange (IKE) variation 2, which Microsoft reported could be weaponized by a distant attacker to “cause many vulnerabilities without getting authenticated.”
On best of that, the patch also remediates a selection of remote code execution flaws impacting Exchange Server, Microsoft Place of work (CVE-2022-21840), SharePoint Server, RDP, and Windows Resilient File Program as properly as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among other folks.
It is worthy of stressing that CVE-2022-21907 and the 3 shortcomings uncovered in Exchange Server (CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969, CVSS scores: 9.) have all been labeled as “exploitation a lot more probable,” necessitating that the patches are utilized quickly to counter prospective serious-world attacks concentrating on the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.
“This substantial Patch Tuesday will come for the duration of a time of chaos in the security industry whereby professionals are functioning extra time to remediate Log4Shell — reportedly the worst vulnerability noticed in decades,” Bharat Jogi, director of vulnerability and threat Investigate at Qualys, stated.
“Gatherings this kind of as Log4Shell […] bring to the forefront the great importance of acquiring an automated stock of every thing that is utilised by an corporation in their setting,” Jogi additional, stating “It is the want of the hour to automate deployment of patches for situations with described schedules (e.g., MSFT Patch Tuesday), so security professionals can concentrate electricity to react competently to unpredictable events that pose dastardly risk.”
Software package Patches from Other Suppliers
Besides Microsoft, security updates have also been launched by other suppliers to rectify many vulnerabilities, counting —
- Adobe
- Android
- Cisco
- Citrix
- Google Chrome
- Linux distributions Oracle Linux, Crimson Hat, and SUSE
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Samba
- SAP
- Schneider Electric
- Siemens
- VMware, and
- WordPress
Uncovered this short article appealing? Observe THN on Facebook, Twitter and LinkedIn to browse additional unique content we publish.
Some parts of this article are sourced from:
thehackernews.com