Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world

Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.

Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).

The flaw affecting Windows servers that are configured as a webserver, tracked as CVE-2022-21907, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is wormable and recommends patching all affected servers as a priority task.

Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.

"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to IT Pro

"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."

The RCE vulnerability, tracked as CVE-2022-21849, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.

Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.

Related Resource

Busting the myths about SSO

Why SSO capability is critical to the success of IAM

Pixelated black and white image with whitepaper title above on white backgroundFree download

In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like Bluetooth or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.

Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.

The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.

Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.

A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.

"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to IT Pro. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.    

"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."

Six zero-day vulnerabilities

In addition to the array of security vulnerabilities affecting Microsoft products, six zero-days are also now patched, though no evidence suggests any of them were actively exploited.

  • CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
  • CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
  • CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
  • CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability
  • CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
  • CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability

None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now


Fedex teams with Microsoft for cross-platform logistics solution
digital transformation

Fedex teams with Microsoft for cross-platform logistics solution

25 Jan 2022
Microsoft tells IT admins to turn off legacy group policies to improve Windows performance
Microsoft Windows

Microsoft tells IT admins to turn off legacy group policies to improve Windows performance

21 Jan 2022
Microsoft buys game developer Activision Blizzard for $68.7 billion
mergers and acquisitions

Microsoft buys game developer Activision Blizzard for $68.7 billion

18 Jan 2022
Windows 11 problems and how to fix them
Microsoft Windows

Windows 11 problems and how to fix them

7 Jan 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022