January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previous fixed in open-source projects. This brings the January total to 122 CVEs.

This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.

Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable:

CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability
This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.

CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability
Yet another Exchange RCE bug, and another Exchange bug reported by the National Security Agency. This is one of three Exchange RCEs being fixed this month, but this is the only one marked Critical. All are listed as being network adjacent in the CVSS score, so an attacker would need to be tied to the target network somehow. Still, an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server.

CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability
Most Office-related RCE bugs are Important severity since they require user interaction and often have warning dialogs, too. However, this bug is listed as Critical. That normally means the Preview Pane is an attack vector, but that’s also not the case here. Instead, this bug is likely Critical due to the lack of warning dialogs when opening a specially crafted file. There are also multiple patches to address this bug, so be sure you apply all available patches. Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products. Let’s hope Microsoft makes these patches available soon.

CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability
This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions. Although privilege escalations generally rate an Important severity rating, Microsoft deemed the flaw sufficient enough for a Critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.

Here’s the full list of CVEs released by Microsoft for January 2022:

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2021-22947 *

Open Source Curl Remote Code Execution Vulnerability

Critical

N/A

Yes

No

RCE

CVE-2021-36976 *

Libarchive Remote Code Execution Vulnerability

Important

N/A

Yes

No

RCE

CVE-2022-21836

Windows Certificate Spoofing Vulnerability

Important

7.8

Yes

No

Spoofing

CVE-2022-21839

Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability

Important

6.1

Yes

No

DoS

CVE-2022-21874

Windows Security Center API Remote Code Execution Vulnerability

Important

7.8

Yes

No

RCE

CVE-2022-21919

Windows User Profile Service Elevation of Privilege Vulnerability

Important

7

Yes

No

EoP

CVE-2022-21857

Active Directory Domain Services Elevation of Privilege Vulnerability

Critical

8.8

No

No

EoP

CVE-2022-21912

DirectX Graphics Kernel Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

CVE-2022-21898

DirectX Graphics Kernel Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

CVE-2022-21917

HEVC Video Extensions Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

CVE-2022-21907

HTTP Protocol Stack Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-21846

Microsoft Exchange Server Remote Code Execution Vulnerability

Critical

9

No

No

RCE

CVE-2022-21840

Microsoft Office Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-21833

Virtual Machine IDE Drive Elevation of Privilege Vulnerability

Critical

7.8

No

No

EoP

CVE-2022-21911

.NET Framework Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2022-21869

Clipboard User Service Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-21865

Connected Devices Platform Service Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-21918

DirectX Graphics Kernel File Denial of Service Vulnerability

Important

6.5

No

No

DoS

CVE-2022-21913

Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass

Important

5.3

No

No

SFB

CVE-2022-21884

Local Security Authority Subsystem Service Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-21910

Microsoft Cluster Port Driver Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-21835

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-21871

Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2022-21891

Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability

Important

7.6

No

No

Spoofing

CVE-2022-21932

Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

Important

7.6

No

No

XSS

CVE-2022-21970

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Important

6.1

No

No

EoP

CVE-2022-21841

Microsoft Excel Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-21855

Microsoft Exchange Server Remote Code Execution Vulnerability

Important

9

No

No

RCE

CVE-2022-21969

Microsoft Exchange Server Remote Code Execution Vulnerability

Important

9

No

With thank to the Patchmanagement.org team!