Security Updates: 01.2022
Patch Tuesday has become a common IT industry term for the patching cycle employed by Microsoft to release security patches for its portfolio of products. Due to the breadth of Microsofts’ product range, many other software vendors that produce products for these platforms have also taken the opportunity to align their monthly security releases to coincide with Microsofts’ Patch Tuesday updates. Patch Tuesday falls on the 2nd Tuesday of every month.
LNDSR’s Vulnerability Management Service assists your IT team by highlighting the vulnerabilities present within your organisation and guiding them to the remediation steps required to mitigate risks of exploitation and to secure your computing environments.
Part of this service is our free monthly breakdown of the notable security updates released each month that will impact your company infrastructure and users, whether they are using company assets or their private technology with family at home.
Patch Tuesday – January 2022
LNDSR commentary on the security updates released on Patch Tuesday for January 2022:
- This month, Microsoft have addressed 97 vulnerabilities
- Microsoft have rated 9 of these patches as Critical.
- 6 of the vulnerabilities addressed have been publicly disclosed
- None of the vulnerabilities have been detected as actively attacked in the wild.
- Vulnerabilities of interest:
- CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability – RCE / (CVSS:9.8): This vulnerability allows an attacker to execute code on a susceptible system by sending a specially crafted packets to it via the HTTPS Protocol Stack (http.sys) to process. This is exploitable with no user interaction and no privileges required. This vulnerability has been determined as wormable. NOTE – Because Windows workstations can also run http.sys, all impacted versions of Windows are currently open to exploitation by this vulnerability.
- CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability – RCE / (CVSS:9.0): This vulnerability has been reported by the NSA. This vulnerability can allow an attacker to execute code on a vulnerable system. However, the attacker would have to launch the attack from the same network segment, essentially within the boundaries of a corporate network.
- CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability – RCE / (CVSS:8.8): It’s unusual for an MS Office vulnerability to be rated Critical by Microsoft, but this one has made that mark. This will most likely denote a lack of warning when opening a specially crafted file exploiting this vulnerability. Addressing this vulnerability required multiple patches not just one. It’s also worth noting that this vulnerability also impacts Office 2019 for Mac & Microsoft Office for Mac 2021 – but crucially Microsoft has not released patches for these platforms today; so all Apple assets running these products remain vulnerable.
- Microsoft products patched this month:
- Microsoft Windows
- Microsoft Edge (EdgeHTML-based)
- Microsoft Edge (Chromium-based)
- Microsoft Office and Microsoft Office Components
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft Sharepoint Server
- .NET Framework
- Open Source Software
- Windows Hyper-V
- Windows Defender
- Windows Remote Desktop
Other notable vendor releases:
- WordPress issued a critical point release from 5.8.2 to 5.8.3
- Adobe released 5 security updates covering 41 vulnerabilities for Adobe Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. None of the vulnerabilities patched have been publicly disclosed or observed as having been actively exploited in the wild.
- Android released security updates for 15 vulnerabilities during the 1st week of January 2022.
- Apple released 7 security updates for iOS and macOS last month.
- Cisco released 3 security updates addressing 6 vulnerabilities including 4 Log4j 2.x
- SAP released security updates for 13 vulnerabilities including Log4j 2.x
- VMWare released 2 security advisories for VMWare Workstation, Fusion and ESX fixing 3 vulnerabilities including Log4j 2.x in additional products.
- Intel security updates for its product ranges addressing the Log4j 2.x vulnerabilities.
- Citrix updated Citrix Workspace app for Linux to fix a single vulnerability.
- Mozilla has updated Firefox, Firefox ESR, and Thunderbird.
- Samba has announced a point update fixing a singel vulnerability.
- Schneider Electric have addressed 29 vulnerabilities with 8 security updates.
- Siemens have released 13 product security updates.
- Linux distributions Oracle Linux, Red Hat, and SUSE have released updates.