Patch Tuesday January 2022 – Wormable Bug in Windows and a Critical Bug in Exchange Server Get Fixes

Patch Tuesday January 2022 - Wormable Bug in Windows and a Critical Bug in Exchange Server Get Fixes

Microsoft patches a wormable bug in http.sys in Windows and Windows Server. There are also fixes for three remote code execution vulnerabilities in Exchange Server. And Adobe releases fixes for 26 flaws in Acrobat and Reader. So, let’s get started!

Windows and Windows Server

This month there are fixes for six zero-days in Windows and Windows Server but none of them are known to exploited by attackers in the wild at the time of release, although that’s likely to change naturally. Two of the zero-days, CVE-2021-36976 and CVE-2022-21874, are remote code execution (RCE) flaws. And CVE-2022-21836 is a certificate spoofing bug, which already has publicly available proof of concept code.

Wormable flaw in http.sys

But more concerning than the zero-days listed above is a wormable flaw in http.sys. CVE-2022-21907 could let an attacker execute code on an affected device using specially crafted network packets using the HTTP protocol. It doesn’t require any user interaction or special rights. Check your servers get patched first and then client devices. Microsoft says: “In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default.”

Devices are vulnerable if the following registry key is present:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

"EnableTrailerSupport"=dword:00000001

Active Directory elevation of privilege flaw

CVE-2022-21857 is a bug that could let an attacker elevate rights across an Active Directory trust boundary under specific conditions. An attacker would require some access already to Active Directory. Microsoft has rated the bug Critical.

Exchange Server

Following on from the Exchange Server Y2K22 bug earlier this month, Microsoft has released patches for three RCE bugs, one of which is Critical (CVE-2022-21846). To be exploited, all the flaws would require internal network access.

Microsoft Office

CVE-2022-21840 is a Critical RCE bug that affects multiple versions of Microsoft Office. Unfortunately, there is no patch currently available for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. An attacker could get a user to open a specially crafted file, delivering it by email or a malicious website, to compromise a device.

Table 1 – Microsoft Patch Tuesday updates, January 2021

Product Impact Severity Article Details
Windows Server, version 20H2 (Server Core Installation) Security Feature Bypass Important 5009543 CVE-2022-21913
Windows 10 Version 20H2 for ARM64-based Systems Security Feature Bypass Important 5009543 CVE-2022-21913
Windows 10 Version 20H2 for 32-bit Systems Security Feature Bypass Important 5009543 CVE-2022-21913
Windows Server 2022 Elevation of Privilege Important 5009555 CVE-2022-21901
Windows 10 Version 1809 for x64-based Systems Elevation of Privilege Important 5009557 CVE-2022-21902
Windows 10 Version 1809 for 32-bit Systems Elevation of Privilege Important 5009557 CVE-2022-21902
Windows 10 Version 21H1 for x64-based Systems Elevation of Privilege Important 5009543 CVE-2022-21901
Windows 10 Version 1909 for x64-based Systems Elevation of Privilege Important 5009545 CVE-2022-21901
Windows Server 2019 (Server Core installation) Elevation of Privilege Important 5009557 CVE-2022-21901
Windows Server 2019 Elevation of Privilege Important 5009557 CVE-2022-21901
Windows Server 2012 R2 (Server Core installation) Security Feature Bypass Important 5009624 CVE-2022-21900
Windows Server 2012 R2 Security Feature Bypass Important 5009624 CVE-2022-21900
Windows Server 2012 (Server Core installation) Security Feature Bypass Important 5009586 CVE-2022-21900
Windows Server 2012 Security Feature Bypass Important 5009586 CVE-2022-21900
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Security Feature Bypass Important 5009610 CVE-2022-21900
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Security Feature Bypass Important 5009610 CVE-2022-21900
Windows 8.1 for x64-based systems Security Feature Bypass Important 5009624 CVE-2022-21900
Windows 10 Version 1607 for 32-bit Systems Elevation of Privilege Important 5009546 CVE-2022-21897
Windows 10 for x64-based Systems Elevation of Privilege Important 5009585 CVE-2022-21897
Windows 10 Version 20H2 for x64-based Systems Elevation of Privilege Important 5009543 CVE-2022-21897
Windows 10 Version 21H2 for ARM64-based Systems Denial of Service Important 5009543 CVE-2022-21889
Windows 10 Version 21H2 for 32-bit Systems Denial of Service Important 5009543 CVE-2022-21889
Windows 11 for ARM64-based Systems Denial of Service Important 5009566 CVE-2022-21889
Windows 11 for x64-based Systems Denial of Service Important 5009566 CVE-2022-21889
Windows 10 Version 1909 for ARM64-based Systems Denial of Service Important 5009545 CVE-2022-21890
Windows 10 Version 1909 for 32-bit Systems Denial of Service Important 5009545 CVE-2022-21890
Windows 10 Version 21H2 for x64-based Systems Remote Code Execution Important 5009543 CVE-2022-21888
Windows Server 2008 for 32-bit Systems Service Pack 2 Elevation of Privilege Important 5009627 CVE-2022-21884
Windows Server 2016  (Server Core installation) Elevation of Privilege Important 5009546 CVE-2022-21884
Windows Server 2016 Elevation of Privilege Important 5009546 CVE-2022-21884
Windows 10 Version 1607 for x64-based Systems Remote Code Execution Important 5009546 CVE-2022-21963
Windows 10 for 32-bit Systems Remote Code Execution Important 5009585 CVE-2022-21963
Windows 10 Version 1809 for ARM64-based Systems Remote Code Execution Important 5009557 CVE-2022-21963
Windows RT 8.1 Remote Code Execution Important 5009624 CVE-2022-21962
Windows 8.1 for 32-bit systems Remote Code Execution Important 5009624 CVE-2022-21962
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Security Feature Bypass Important 5009627 CVE-2022-21925
Windows Server 2008 for x64-based Systems Service Pack 2 Security Feature Bypass Important 5009627 CVE-2022-21925
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Security Feature Bypass Important 5009627 CVE-2022-21925
Windows 10 Version 21H1 for 32-bit Systems Security Feature Bypass Important 5009543 CVE-2022-21924
Windows 10 Version 21H1 for ARM64-based Systems Security Feature Bypass Important 5009543 CVE-2022-21924
Windows Server 2022 (Server Core installation) Remote Code Execution Important 5009555 CVE-2022-21959
Microsoft .NET Framework 3.5 AND 4.7.2 Denial of Service Important 5009585 CVE-2022-21911
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 Denial of Service Important 5009546 CVE-2022-21911
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Denial of Service Important 5009720 CVE-2022-21911
Microsoft .NET Framework 3.5 AND 4.8 Denial of Service Important 5008879 CVE-2022-21911
Microsoft .NET Framework 4.8 Denial of Service Important 5008877 CVE-2022-21911
Windows 7 for x64-based Systems Service Pack 1 Denial of Service Important 5009610 CVE-2022-21883
Windows 7 for 32-bit Systems Service Pack 1 Denial of Service Important 5009610 CVE-2022-21883
Microsoft .NET Framework 4.5.2 Denial of Service Important 5009720 CVE-2022-21911
Microsoft .NET Framework 3.5.1 Denial of Service Important 5009719 CVE-2022-21911
Microsoft .NET Framework 3.5 Denial of Service Important 5009721 CVE-2022-21911
Microsoft .NET Framework 4.6 Denial of Service Important 5009722 CVE-2022-21911
Microsoft .NET Framework 2.0 Service Pack 2 Denial of Service Important 5009722 CVE-2022-21911
Dynamics 365 Sales Spoofing Important CVE-2022-21891
Microsoft Exchange Server 2019 Cumulative Update 11 Remote Code Execution Important 5008631 CVE-2022-21969
Microsoft Exchange Server 2016 Cumulative Update 22 Remote Code Execution Important 5008631 CVE-2022-21969
Microsoft Exchange Server 2019 Cumulative Update 10 Remote Code Execution Important 5008631 CVE-2022-21969
Microsoft Exchange Server 2016 Cumulative Update 21 Remote Code Execution Important 5008631 CVE-2022-21969
Microsoft Exchange Server 2013 Cumulative Update 23 Remote Code Execution Important 5008631 CVE-2022-21969
Microsoft Word 2016 (64-bit edition) Remote Code Execution Important 5002057 CVE-2022-21842
Microsoft Word 2016 (32-bit edition) Remote Code Execution Important 5002057 CVE-2022-21842
Microsoft SharePoint Enterprise Server 2016 Remote Code Execution Important 5002113 CVE-2022-21842
Microsoft Office 2013 Service Pack 1 (64-bit editions) Remote Code Execution Important 5002119 CVE-2022-21841
Microsoft Office 2013 Service Pack 1 (32-bit editions) Remote Code Execution Important 5002119 CVE-2022-21841
Microsoft Office 2013 RT Service Pack 1 Remote Code Execution Important 5002119 CVE-2022-21841
Microsoft Office 2016 (64-bit edition) Remote Code Execution Important 5002116 CVE-2022-21841
Microsoft Office 2016 (32-bit edition) Remote Code Execution Important 5002116 CVE-2022-21841
Microsoft Office LTSC 2021 for 32-bit editions Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft Office LTSC 2021 for 64-bit editions Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft Office LTSC for Mac 2021 Remote Code Execution Important CVE-2022-21841
Microsoft 365 Apps for Enterprise for 64-bit Systems Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft 365 Apps for Enterprise for 32-bit Systems Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft Office 2019 for Mac Remote Code Execution Important CVE-2022-21841
Microsoft Office 2019 for 64-bit editions Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft Office 2019 for 32-bit editions Remote Code Execution Important Click to Run CVE-2022-21841
Microsoft SharePoint Foundation 2013 Service Pack 1 Remote Code Execution Important 5002127 CVE-2022-21837
Microsoft SharePoint Server Subscription Edition Remote Code Execution Important 5002111 CVE-2022-21837
Microsoft SharePoint Server 2019 Remote Code Execution Important 5002109 CVE-2022-21837
Microsoft Dynamics 365 Customer Engagement V9.0 Spoofing Important 5010574 CVE-2022-21932
HEVC Video Extensions Remote Code Execution Critical Upadate Information CVE-2022-21917
Remote Desktop client for Windows Desktop Remote Code Execution Important Release Notes CVE-2022-21851
Microsoft Office Web Apps Server 2013 Service Pack 1 Remote Code Execution Critical 5002122 CVE-2022-21840
Microsoft Excel 2013 Service Pack 1 (64-bit editions) Remote Code Execution Critical 5002128 CVE-2022-21840
Microsoft Excel 2013 Service Pack 1 (32-bit editions) Remote Code Execution Critical 5002128 CVE-2022-21840
Microsoft Excel 2013 RT Service Pack 1 Remote Code Execution Critical 5002128 CVE-2022-21840
Microsoft Excel 2016 (64-bit edition) Remote Code Execution Critical 5002114 CVE-2022-21840
Microsoft Excel 2016 (32-bit edition) Remote Code Execution Critical 5002114 CVE-2022-21840
SharePoint Server Subscription Edition Language Pack Remote Code Execution Critical 5002110 CVE-2022-21840
Microsoft Office Online Server Remote Code Execution Critical 5002107 CVE-2022-21840
Microsoft SharePoint Enterprise Server 2013 Service Pack 1 Remote Code Execution Critical 5001995 CVE-2022-21840

Adobe

Adobe released 5 patches fixing 41 CVEs in January. The bugs affect Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. And no surprises that the Acrobat and Reader patch fixes a massive 26 bugs in the software, including an RCE an attacker could exploit if the user opens a specially crafted PDF document.

But none the flaws patched by Adobe this month are known to be actively exploited in the wild at the time of release, but again that will likely change.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.

But that is it for another month and happy patching!