Microsoft kicked off the year with a massive vulnerability fix by releasing not only its first regular Tuesday update, but this time covers a total of 96 vulnerabilities, but also issued several other fixes for the Microsoft Edge browser (mostly related to the Chromium engine). In total, there are more than 120 vulnerabilities patched since the beginning of the year. This is a clear reason to update the operating system and some Microsoft applications as soon as possible.
The most serious vulnerabilities
Nine of the vulnerabilities closed Tuesday are rated critical on the CVSS 3.1 scale. Of these, two are related to escalation privileges: CVE-2022-21833 On the virtual IDE disk and CVE-2022-21857 in Active Directory Domain Services. Exploitation of the other seven can grant the attacker the ability to remote code execution:
This last one seems to be the most unpleasant vulnerability. A flaw in the HTTP protocol stack theoretically allows attackers to not only cause the affected computer to execute arbitrary code, but also to propagate the attack over the local network (in Microsoft terminology, the vulnerability is classified What wormable, that is, it can be used to create a worm). This vulnerability is relevant to Windows 10, Windows 11, Windows Server 2022, and Windows Server 2019. However, according to Microsoft, it is dangerous for users of Windows Server 2019 and Windows 10 version 1809 only if they enable HTTP Trailer Support with the key EnableTrailerSupport in the registry.
Experts also raised concerns about the presence of another serious vulnerability in Microsoft Exchange Server, CVE-2022-21846, (which, by the way, is not the only error on the list, only the most dangerous). The concern is understandable, as no one wants the wave of vulnerabilities exploited in Exchange like last year to happen again.
The security community was already aware of some of the fixed vulnerabilities. Also, someone already posted proofs of concept for these:
- CVE-2022-21836 — Windows Certificate Forgery Vulnerability
- CVE-2022-21839 — Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability
- CVE-2022-21919 — Windows User Profile Service Elevation of Privilege vulnerability
We have not yet observed actual attacks with these vulnerabilities. However, proofs of concept are already publicly available, so exploitation can happen at any time.
How to protect yourself
First of all, you need to update your operating system (and other Microsoft programs) as soon as possible. In general, it’s a good idea not to delay the installation of patches for critical software.
Second, any computer or server connected to the Internet must be equipped with a trusted security solution that can not only prevent the exploitation of known vulnerabilities, but also detect attacks with exploits that are still unknown.