IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world

Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.

Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).

The flaw affecting Windows servers that are configured as a webserver, tracked as CVE-2022-21907, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is wormable and recommends patching all affected servers as a priority task.

Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.

"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to IT Pro

"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."

The RCE vulnerability, tracked as CVE-2022-21849, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.

Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.

Related Resource

Busting the myths about SSO

Why SSO capability is critical to the success of IAM

Pixelated black and white image with whitepaper title above on white backgroundFree download

In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like Bluetooth or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.

Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.

The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.

Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.

A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.

"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to IT Pro. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.    

"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."

Six zero-day vulnerabilities

In addition to the array of security vulnerabilities affecting Microsoft products, six zero-days are also now patched, though no evidence suggests any of them were actively exploited.

  • CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
  • CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
  • CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
  • CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability
  • CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
  • CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability

None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

The IT Pro Podcast: Enabling bilingual business
collaboration

The IT Pro Podcast: Enabling bilingual business

30 Sep 2022
Podcast transcript: Enabling bilingual business
collaboration

Podcast transcript: Enabling bilingual business

30 Sep 2022
Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features
Microsoft Windows

Windows 11 Update 2022: The "first major" Windows 11 update brings slew of new business features

21 Sep 2022
Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday
Security

Three critical vulnerabilities and one zero-day feature in Microsoft's September Patch Tuesday

14 Sep 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022