Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.

Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).

The flaw affecting Windows servers that are configured as a webserver, tracked as CVE-2022-21907, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is wormable and recommends patching all affected servers as a priority task.

Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.

"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to IT Pro.

"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."

The RCE vulnerability, tracked as CVE-2022-21849, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.

Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.

In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like Bluetooth or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.

Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.

The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.

Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.

A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.

"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to IT Pro. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.

"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."

Six zero-day vulnerabilities

In addition to the array of security vulnerabilities affecting Microsoft products, six zero-days are also now patched, though no evidence suggests any of them were actively exploited.

• CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
• CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
• CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
• CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability
• CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
• CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability

None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.