Microsoft has released patches for nearly 100 vulnerabilities this Patch Tuesday, including three Exchange remote code execution bugs and an HTTP protocol stack remote code execution vulnerability.
Despite the unusually large amount of patches to start the year, none are listed as being actively exploited. However, six are listed as publicly known at the time of release.
In addition to those bugs, Microsoft patched 24 vulnerabilities in Microsoft Edge and two others fixed in open-source projects earlier this month, bringing the total amount of software flaws patched in January to 122.
Zero Day Initiative, the bug disclosure arm of Trend Micro, highlights several of the bugs patched in its monthly blog that comes on Patch Tuesday.
According to ZDI, nine of the bugs are rated critical and 89 are rated important. Here’s a look at some of this month’s vulnerabilities that admins are being urged to patch:
CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability
This bug comes with a CVSS score on 9.8, so it’s one to prioritize when patching. According to ZDI, this flaw could allow an attacker to gain remote code execution (RCE) on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack to process packets.
“No user interaction, no privileges required, and an elevated service add up to a wormable bug,” ZDI says in the blog. “And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.”
CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Exchange RCE bug was reported by the National Security Agency, so it is another one to prioritize. It is one of three Exchange RCE flaws patched this month, but the only one marked critical, with a CVSS score of 9. ZDI notes that all three are listed as adjacent in the CVSS score, so an attacker would need to be tied to the target network. However, an insider or attacker with access to the target network can use these flaws to take over the server.
CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability
This vulnerability gets a CVSS score of 8.8 and is listed as critical, so it’s another to patch quickly. According to ZDI, the bug is likely listed as such due to a lack of warning dialogs when opening a specially crafted file, as most Office-related RCE bugs require user interaction. This bug also requires multiple patches to fix, so admins should make sure they apply all patches.
“Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products,” ZDI notes. “Let’s hope Microsoft makes these patches available soon.”
CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability
This bug, also rated critical, could allow an attacker to elevate privileges across an Active Directory trust boundary under certain conditions, ZDI says. An attacker would need some level of privileges, but an attacker already with access to a network could use this for lateral movement and other nefarious activities, ZDI notes.
Other Microsoft patches noted by ZDI fix other critical-rated patches that impact DirectX and HEVC video extensions that could allow attackers to execute code if a user views a specially crafted media file.
There are also more than 20 less severe bugs that could lead to remote code execution, but many of them require physical access, ZDI notes.
According to ZDI, Adobe also released patches that address 41 vulnerabilities in Acrobat, Reader, Illustrator, Adobe Bride, InCopy and InDesign. A majority of these bugs (26) are in Acrobat and Reader, including a remote code execution flaw from a specially crafted PDF. Several of those bugs were recently demonstrated, so in-the-wild exploits are a possibility.