Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update
Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world


Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.
Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).
The flaw affecting Windows servers that are configured as a webserver, tracked as CVE-2022-21907, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is wormable and recommends patching all affected servers as a priority task.
Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.
"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to IT Pro.
"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."
The RCE vulnerability, tracked as CVE-2022-21849, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.
RELATED RESOURCE
In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like Bluetooth or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.
Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.
The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.
Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.
A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.
"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to IT Pro. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.
"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."
Six zero-day vulnerabilities
In addition to the array of security vulnerabilities affecting Microsoft products, six zero-days are also now patched, though no evidence suggests any of them were actively exploited.
- CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
- CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
- CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
- CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability
- CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
- CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability
None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Zero Trust myths: Fact or fiction?
Whitepaper What the myths get right and wrong about Zero Trust
By ITPro Published
-
ZTNA vs on-premises VPN
Whitepaper How ZTNA wins the network security game
By ITPro Published
-
A roadmap to Zero Trust with Cloudflare and CrowdStrike
Whitepaper Achieve end-to-end protection across endpoints, networks, and applications
By ITPro Published
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox
News Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
By Zach Marzouk Published
-
Microsoft issues emergency fixes for wide-reaching Kerberos issues
News The tech giant released updates for domain controllers after swathes of IT teams reported authentication issues within their organisations
By Zach Marzouk Published
-
State-sponsored hackers delay new Microsoft Exchange Server by four years
News Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule
By Connor Jones Published
-
Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products grows
News Microsoft has published a support guide and temporary workarounds for IT admins to mitigate the threat
By Connor Jones Published
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
By Connor Jones Published