vulnerability management

Security Updates: 01.2022

Patch Tuesday has become a common IT industry term for the patching cycle employed by Microsoft to release security patches for its portfolio of products. Due to the breadth of Microsofts’ product range, many other software vendors that produce products for these platforms have also taken the opportunity to align their monthly security releases to coincide with Microsofts’ Patch Tuesday updates. Patch Tuesday falls on the 2nd Tuesday of every month.

LNDSR’s Vulnerability Management Service assists your IT team by highlighting the vulnerabilities present within your organisation and guiding them to the remediation steps required to mitigate risks of exploitation and to secure your computing environments.

Part of this service is our free monthly breakdown of the notable security updates released each month that will impact your company infrastructure and users, whether they are using company assets or their private technology with family at home.

Patch Tuesday – January 2022

LNDSR commentary on the security updates released on Patch Tuesday for January 2022:

  • Microsoft
    • This month, Microsoft have addressed 97 vulnerabilities
    • Microsoft have rated 9 of these patches as Critical.
    • 6 of the vulnerabilities addressed have been publicly disclosed
    • None of the vulnerabilities have been detected as actively attacked in the wild.
  • Vulnerabilities of interest: 
    • CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability – RCE / (CVSS:9.8): This vulnerability allows an attacker to execute code on a susceptible system by sending a specially crafted packets to it via the HTTPS Protocol Stack (http.sys) to process. This is exploitable with no user interaction and no privileges required. This vulnerability has been determined as wormable. NOTE – Because Windows workstations can also run http.sys, all impacted versions of Windows are currently open to exploitation by this vulnerability.
    • CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability – RCE / (CVSS:8.8): It’s unusual for an MS Office vulnerability to be rated Critical by Microsoft, but this one has made that mark. This will most likely denote a lack of warning when opening a specially crafted file exploiting this vulnerability. Addressing this vulnerability required multiple patches not just one. It’s also worth noting that this vulnerability also impacts Office 2019 for Mac & Microsoft Office for Mac 2021 – but crucially Microsoft has not released patches for these platforms today; so all Apple assets running these products remain vulnerable.
  • Microsoft products patched this month:
      • Microsoft Windows
      • Microsoft Edge (EdgeHTML-based)
      • Microsoft Edge (Chromium-based)
      • Microsoft Office and Microsoft Office Components
      • Microsoft Dynamics
      • Microsoft Exchange Server
      • Microsoft Sharepoint Server
      • .NET Framework
      • Open Source Software
      • Windows Hyper-V
      • Windows Defender
      • Windows Remote Desktop

Other notable vendor releases:

Contact Us