First Patch Tuesday of 2022 Brings Fix for a Critical ‘Wormable’ Windows Vulnerability

Cyber Security

Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes across its software ecosystem, while urging customers to prioritize patching for what it calls a critical “wormable” vulnerability.

Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.

The patches cover a swath of the computing giant’s portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

Chief among them is CVE-2022-21907 (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. “In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,” Microsoft noted in its advisory.

Russian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that it’s wormable, meaning no user interaction is necessary to trigger and propagate the infection.

“Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts,” Danny Kim, principal architect at Virsec, said.

Microsoft also resolved six zero-days as part of its Patch Tuesday update, two of which are an integration of third-party fixes concerning the open-source libraries curl and libarchive.

  • CVE-2021-22947 (CVSS score: N/A) – Open-Source curl Remote Code Execution Vulnerability
  • CVE-2021-36976 (CVSS score: N/A) – Open-source libarchive Remote Code Execution Vulnerability
  • CVE-2022-21836 (CVSS score: 7.8) – Windows Certificate Spoofing Vulnerability
  • CVE-2022-21839 (CVSS score: 6.1) – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
  • CVE-2022-21874 (CVSS score: 7.8) – Windows Security Center API Remote Code Execution Vulnerability
  • CVE-2022-21919 (CVSS score: 7.0) – Windows User Profile Service Elevation of Privilege Vulnerability

Another critical vulnerability of note concerns a remote code execution flaw (CVE-2022-21849, CVSS score: 9.8) in Windows Internet Key Exchange (IKE) version 2, which Microsoft said could be weaponized by a remote attacker to “trigger multiple vulnerabilities without being authenticated.”

On top of that, the patch also remediates a number of remote code execution flaws affecting Exchange Server, Microsoft Office (CVE-2022-21840), SharePoint Server, RDP, and Windows Resilient File System as well as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among others.

It’s worth stressing that CVE-2022-21907 and the three shortcomings uncovered in Exchange Server (CVE-2022-21846, CVE-2022-21855, and CVE-2022-21969, CVSS scores: 9.0) have all been labeled as “exploitation more likely,” necessitating that the patches are applied immediately to counter potential real-world attacks targeting the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.

“This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell — reportedly the worst vulnerability seen in decades,” Bharat Jogi, director of vulnerability and threat Research at Qualys, said.

“Events such as Log4Shell […] bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment,” Jogi added, stating “It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk.”

Software Patches from Other Vendors

Besides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting —