Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed
Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities.
Products impacted by January 2022’s security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.
The zero-day vulnerabilities resolved in this update are:
- CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.
- CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.
- CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).
- CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.
- CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).
- CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).
None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for the month of January, with previous years often being roughly half this number.
Microsoft has also announced a refreshed Security Update Guide notification system, with standard email addresses now being accepted at signup rather than only Live IDs.
Last month, Microsoft published 67 security fixes in the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues patched, alongside six zero-day security flaws. One of the zero-days tackled was CVE-2021-43890, a bug in the Windows AppX Installer that is being actively exploited in the wild to spread Emotet, Trickbot, and Bazaloader malware.
A month prior, the tech giant tackled 55 vulnerabilities during the November 2021 Patch Tuesday.
In recent Microsoft news, earlier this month the company published an emergency fix for a bug impacting on-premise Exchange Servers. A date-check failure glitch prevented mail to move smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.
Alongside Microsoft’s Patch Tuesday round, other vendors, too, will publish security updates which can be accessed below.