Microsoft starts 2022 with big bundle fixes for 96 security bugs in its software

Patch Tuesday The new year brings the same old chore of shoring up Microsoft software. For its first Patch Tuesday of 2022, Redmond has bestowed 96 new CVEs affecting its Windows products.

If you include 24 Chromium CVEs published earlier this month and now addressed in Microsoft's Edge browser, in addition to two CVEs in open source projects (Curl and Libarchive), you get 122 fixes that need to be applied.

Affected systems include: Windows and associated components, Edge, Exchange Server, Office and associated components, SharePoint Server, .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

Of the 96 Windows CVEs and the two open source fixes, nine are rated Critical and 89 are rated Important. Six are said to be publicly known though not yet subject to active exploitation, at least as far as Microsoft is aware.

The critical (and public) Curl flaw (CVE-2021-22947) – which enables a MITM-attacker to inject fake response data when using STARTTLS to initiate a TLS connection – was patched in the release of version 7.79.0 back on September 15, 2021. Microsoft is just getting to it now.

Dustin Childs, with the Zero Day Initiative (ZDI), calls attention to yet another Microsoft Exchange critical remote code execution (RCE) flaw (CVE-2022-21846), which like several recent Exchange bugs has been flagged by

the US National Security Agency.

In March last year, Microsoft fixed four Exchange vulnerabilities exploited by a China-based hacking group referred to as "Hafnium," blamed for data thefts from US defense contractors and private sector firms.

• Make sure you're up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out
• Google fixes bug that stopped some Pixel phones from making 911 calls
• Microsoft patches Y2K-like bug that borked on-prem Exchange Server
• Bad things come in threes: Apache reveals another Log4J bug

Childs also highlights CVE-2022-21840, a Microsoft Office RCE. It's rated critical, he suggests, because of the absence of warning dialogs when opening a maliciously crafted file. The bug should be of particular concern to users of macOS because Microsoft's fix doesn't apply there.

"Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products," explains Childs in a blog post.

Finally, he notes that CVE-2022-21907, a critical HTTP Protocol Stack RCE, should be prioritized because it can be triggered without interaction or privilege elevation by sending maliciously crafted packets to a system using the HTTP Protocol Stack (http.sys) to process packets.

Security biz CyberArk believes some attention should be paid to the vulnerability, rated Important, in Windows Remote Desktop Services (CVE-2022-21893) that the company discovered and disclosed to Microsoft.

"This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards," said Gabriel Sztejnworcel, software architect at CyberArk, in a blog post. He also notes that its abuse could have data privacy consequences and could allow lateral network movement and privilege escalation.

Alongside its patch notifications, Microsoft said it is revising how it shares information through its Security Update Guide. The big change is that Microsoft will no longer require a Live ID email address for those who want to receive security notifications.

SAP issued 11 security notices, only nine of which are listed on the page, or ten if you count the one cited in the comment section. One of these is designated "Hot news" or Critical in more sensible industry terminology. The Hot news item is, of course, security notice 3131047, a collection of bulletins that cover the Log4j vulnerabilities in multiple products.

Adobe, meanwhile, published five security bulletins covering 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign.

More than half these CVEs (22) were reported through ZDI and 26 of the fixes were associated with Acrobat and Reader – 16 of them designated Critical. The worst of the lot, said Childs, enables RCE if the victim opens a maliciously crafted PDF.

Mozilla issued three security advisories, covering 18 CVEs, nine of which are critical, in Thunderbird 91.5, Firefox ESR 91.5, and Firefox 96.

Earlier this month, Android issued a security bulletin covering 33 CVEs, only one of which (CVE-2021-30285) was designated critical. As it affects a closed-source Qualcomm component, it was not publicly disclosed. ®