IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world

Microsoft has fixed a total of 98 security vulnerabilities as part of its January 2022 Patch Tuesday update released this week, including 29 remote code execution (RCE) flaws and six zero-days.

Of the 98 total vulnerabilities, nine were rated 'critical' - having a CVE score of nine or greater. Among the most severe security issues patched by Microsoft were a pair of RCEs both with scores of 9.8/10 affecting Windows Servers and systems with internet key exchange (IKE).

The flaw affecting Windows servers that are configured as a webserver, tracked as CVE-2022-21907, allows unauthenticated cyber attackers to send specially crafted packets to targeted servers utilising the HTTP Protocol Stack. Microsoft also said the issue is wormable and recommends patching all affected servers as a priority task.

Another of the more serious flaws Microsoft patched this week was one found affecting internet key exchange (IKE), though Microsoft has been tight-lipped on the full details of the problem.

"CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attacker to affect an entire intranet once the attack succeeds," said Danny Kim, principal architect at Virsec, to IT Pro

"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts," he added. "Instead of trying to continuously patch and identify these vulnerabilities, enterprises should look for a real-time monitoring solution to safeguard applications and their functionalities from these types of attacks."

The RCE vulnerability, tracked as CVE-2022-21849, can be exploited with 'low complexity', according to Microsoft's patch notes, and allows unauthenticated attackers to trigger multiple vulnerabilities when the IPSec service is running on Windows.

Microsoft Exchange Server also received five separate fixes for one critical-rated RCE vulnerability, tracked as CVE-2022-21846, rated 9.0/10, with an 'adjacent' attack vector which means the attack is limited at the protocol level. This particular flaw was first flagged to Microsoft by the National Security Agency (NSA), which has raised attention to other Microsoft Exchange security issues throughout 2021.

Related Resource

Busting the myths about SSO

Why SSO capability is critical to the success of IAM

Pixelated black and white image with whitepaper title above on white backgroundFree download

In order to achieve exploitation, cyber attackers would have to first gain a foothold onto a victim's environment, such as being on the same shared physical network, like Bluetooth or IEEE 802.11. This type of flaw is common with man-in-the-middle setups, Microsoft said.

Numerous flaws affecting the Microsoft Office suite were also patched by Microsoft but perhaps the most serious one, tracked as CVE-2022-21840, addressed 26 individual critical-rated flaws in one vulnerability. It has a CVE score of 8.8/10 and attackers could achieve remote code execution on a victim's machine if they opened a specially crafted file.

The flaw is thought to be slightly less likely to exploit given that some user interaction is required (opening the file), but Microsoft still categorised it as a 'low complexity' exploit, meaning cyber attackers can expect repeatable success against the vulnerable component.

Microsoft has issued updates for Windows machines, all of which are advised to be installed, but certain Mac users will have to wait for patches as they are not immediately available.

A full list of the now-patched security issues has been published by Microsoft with RCE flaws affecting products including Windows Server, Microsoft Exchange Server, SharePoint Server, the Microsoft Office suite, DirectX, Windows Remote Desktop Protocol, Windows Resilient File System, and other areas.

"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell – reportedly the worst vulnerability seen in decades," said Bharat Jogi, director, vulnerability and threat research at Qualys to IT Pro. "Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.    

"It is the need of the hour to automate deployment of patches for events with defined schedules, such as Microsfot's Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels."

Six zero-day vulnerabilities

In addition to the array of security vulnerabilities affecting Microsoft products, six zero-days are also now patched, though no evidence suggests any of them were actively exploited.

  • CVE-2022-21919 - Windows User Profile Service Elevation of Privilege Vulnerability
  • CVE-2022-21836 - Windows Certificate Spoofing Vulnerability
  • CVE-2022-21839 - Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
  • CVE-2022-21874 - Windows Security Center API Remote Code Execution Vulnerability
  • CVE-2021-22947 - Open Source Curl Remote Code Execution Vulnerability
  • CVE-2021-36976 - Libarchive Remote Code Execution Vulnerability

None of the above zero-days were actively exploited, but publicly available proof of concept (PoC) code is available so businesses should still patch these as a matter of priority before exploitation attempts do start occurring.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Actively exploited Windows vulnerability reaches peak severity when paired with popular attack
Security

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

11 May 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022