Last Update: Sep 04, 2024 | Published: Jan 12, 2022
Microsoft patches a wormable bug in http.sys in Windows and Windows Server. There are also fixes for three remote code execution vulnerabilities in Exchange Server. And Adobe releases fixes for 26 flaws in Acrobat and Reader. So, let’s get started!
This month there are fixes for six zero-days in Windows and Windows Server but none of them are known to exploited by attackers in the wild at the time of release, although that’s likely to change naturally. Two of the zero-days, CVE-2021-36976 and CVE-2022-21874, are remote code execution (RCE) flaws. And CVE-2022-21836 is a certificate spoofing bug, which already has publicly available proof of concept code.
But more concerning than the zero-days listed above is a wormable flaw in http.sys. CVE-2022-21907 could let an attacker execute code on an affected device using specially crafted network packets using the HTTP protocol. It doesn’t require any user interaction or special rights. Check your servers get patched first and then client devices. Microsoft says: “In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default.”
Devices are vulnerable if the following registry key is present:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters "EnableTrailerSupport"=dword:00000001
CVE-2022-21857 is a bug that could let an attacker elevate rights across an Active Directory trust boundary under specific conditions. An attacker would require some access already to Active Directory. Microsoft has rated the bug Critical.
Following on from the Exchange Server Y2K22 bug earlier this month, Microsoft has released patches for three RCE bugs, one of which is Critical (CVE-2022-21846). To be exploited, all the flaws would require internal network access.
CVE-2022-21840 is a Critical RCE bug that affects multiple versions of Microsoft Office. Unfortunately, there is no patch currently available for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021. An attacker could get a user to open a specially crafted file, delivering it by email or a malicious website, to compromise a device.
Table 1 – Microsoft Patch Tuesday updates, January 2021
Product | Impact | Severity | Article | Details |
Windows Server, version 20H2 (Server Core Installation) | Security Feature Bypass | Important | 5009543 | CVE-2022-21913 |
Windows 10 Version 20H2 for ARM64-based Systems | Security Feature Bypass | Important | 5009543 | CVE-2022-21913 |
Windows 10 Version 20H2 for 32-bit Systems | Security Feature Bypass | Important | 5009543 | CVE-2022-21913 |
Windows Server 2022 | Elevation of Privilege | Important | 5009555 | CVE-2022-21901 |
Windows 10 Version 1809 for x64-based Systems | Elevation of Privilege | Important | 5009557 | CVE-2022-21902 |
Windows 10 Version 1809 for 32-bit Systems | Elevation of Privilege | Important | 5009557 | CVE-2022-21902 |
Windows 10 Version 21H1 for x64-based Systems | Elevation of Privilege | Important | 5009543 | CVE-2022-21901 |
Windows 10 Version 1909 for x64-based Systems | Elevation of Privilege | Important | 5009545 | CVE-2022-21901 |
Windows Server 2019 (Server Core installation) | Elevation of Privilege | Important | 5009557 | CVE-2022-21901 |
Windows Server 2019 | Elevation of Privilege | Important | 5009557 | CVE-2022-21901 |
Windows Server 2012 R2 (Server Core installation) | Security Feature Bypass | Important | 5009624 | CVE-2022-21900 |
Windows Server 2012 R2 | Security Feature Bypass | Important | 5009624 | CVE-2022-21900 |
Windows Server 2012 (Server Core installation) | Security Feature Bypass | Important | 5009586 | CVE-2022-21900 |
Windows Server 2012 | Security Feature Bypass | Important | 5009586 | CVE-2022-21900 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Security Feature Bypass | Important | 5009610 | CVE-2022-21900 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Security Feature Bypass | Important | 5009610 | CVE-2022-21900 |
Windows 8.1 for x64-based systems | Security Feature Bypass | Important | 5009624 | CVE-2022-21900 |
Windows 10 Version 1607 for 32-bit Systems | Elevation of Privilege | Important | 5009546 | CVE-2022-21897 |
Windows 10 for x64-based Systems | Elevation of Privilege | Important | 5009585 | CVE-2022-21897 |
Windows 10 Version 20H2 for x64-based Systems | Elevation of Privilege | Important | 5009543 | CVE-2022-21897 |
Windows 10 Version 21H2 for ARM64-based Systems | Denial of Service | Important | 5009543 | CVE-2022-21889 |
Windows 10 Version 21H2 for 32-bit Systems | Denial of Service | Important | 5009543 | CVE-2022-21889 |
Windows 11 for ARM64-based Systems | Denial of Service | Important | 5009566 | CVE-2022-21889 |
Windows 11 for x64-based Systems | Denial of Service | Important | 5009566 | CVE-2022-21889 |
Windows 10 Version 1909 for ARM64-based Systems | Denial of Service | Important | 5009545 | CVE-2022-21890 |
Windows 10 Version 1909 for 32-bit Systems | Denial of Service | Important | 5009545 | CVE-2022-21890 |
Windows 10 Version 21H2 for x64-based Systems | Remote Code Execution | Important | 5009543 | CVE-2022-21888 |
Windows Server 2008 for 32-bit Systems Service Pack 2 | Elevation of Privilege | Important | 5009627 | CVE-2022-21884 |
Windows Server 2016 (Server Core installation) | Elevation of Privilege | Important | 5009546 | CVE-2022-21884 |
Windows Server 2016 | Elevation of Privilege | Important | 5009546 | CVE-2022-21884 |
Windows 10 Version 1607 for x64-based Systems | Remote Code Execution | Important | 5009546 | CVE-2022-21963 |
Windows 10 for 32-bit Systems | Remote Code Execution | Important | 5009585 | CVE-2022-21963 |
Windows 10 Version 1809 for ARM64-based Systems | Remote Code Execution | Important | 5009557 | CVE-2022-21963 |
Windows RT 8.1 | Remote Code Execution | Important | 5009624 | CVE-2022-21962 |
Windows 8.1 for 32-bit systems | Remote Code Execution | Important | 5009624 | CVE-2022-21962 |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5009627 | CVE-2022-21925 |
Windows Server 2008 for x64-based Systems Service Pack 2 | Security Feature Bypass | Important | 5009627 | CVE-2022-21925 |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | 5009627 | CVE-2022-21925 |
Windows 10 Version 21H1 for 32-bit Systems | Security Feature Bypass | Important | 5009543 | CVE-2022-21924 |
Windows 10 Version 21H1 for ARM64-based Systems | Security Feature Bypass | Important | 5009543 | CVE-2022-21924 |
Windows Server 2022 (Server Core installation) | Remote Code Execution | Important | 5009555 | CVE-2022-21959 |
Microsoft .NET Framework 3.5 AND 4.7.2 | Denial of Service | Important | 5009585 | CVE-2022-21911 |
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 | Denial of Service | Important | 5009546 | CVE-2022-21911 |
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 | Denial of Service | Important | 5009720 | CVE-2022-21911 |
Microsoft .NET Framework 3.5 AND 4.8 | Denial of Service | Important | 5008879 | CVE-2022-21911 |
Microsoft .NET Framework 4.8 | Denial of Service | Important | 5008877 | CVE-2022-21911 |
Windows 7 for x64-based Systems Service Pack 1 | Denial of Service | Important | 5009610 | CVE-2022-21883 |
Windows 7 for 32-bit Systems Service Pack 1 | Denial of Service | Important | 5009610 | CVE-2022-21883 |
Microsoft .NET Framework 4.5.2 | Denial of Service | Important | 5009720 | CVE-2022-21911 |
Microsoft .NET Framework 3.5.1 | Denial of Service | Important | 5009719 | CVE-2022-21911 |
Microsoft .NET Framework 3.5 | Denial of Service | Important | 5009721 | CVE-2022-21911 |
Microsoft .NET Framework 4.6 | Denial of Service | Important | 5009722 | CVE-2022-21911 |
Microsoft .NET Framework 2.0 Service Pack 2 | Denial of Service | Important | 5009722 | CVE-2022-21911 |
Dynamics 365 Sales | Spoofing | Important | CVE-2022-21891 | |
Microsoft Exchange Server 2019 Cumulative Update 11 | Remote Code Execution | Important | 5008631 | CVE-2022-21969 |
Microsoft Exchange Server 2016 Cumulative Update 22 | Remote Code Execution | Important | 5008631 | CVE-2022-21969 |
Microsoft Exchange Server 2019 Cumulative Update 10 | Remote Code Execution | Important | 5008631 | CVE-2022-21969 |
Microsoft Exchange Server 2016 Cumulative Update 21 | Remote Code Execution | Important | 5008631 | CVE-2022-21969 |
Microsoft Exchange Server 2013 Cumulative Update 23 | Remote Code Execution | Important | 5008631 | CVE-2022-21969 |
Microsoft Word 2016 (64-bit edition) | Remote Code Execution | Important | 5002057 | CVE-2022-21842 |
Microsoft Word 2016 (32-bit edition) | Remote Code Execution | Important | 5002057 | CVE-2022-21842 |
Microsoft SharePoint Enterprise Server 2016 | Remote Code Execution | Important | 5002113 | CVE-2022-21842 |
Microsoft Office 2013 Service Pack 1 (64-bit editions) | Remote Code Execution | Important | 5002119 | CVE-2022-21841 |
Microsoft Office 2013 Service Pack 1 (32-bit editions) | Remote Code Execution | Important | 5002119 | CVE-2022-21841 |
Microsoft Office 2013 RT Service Pack 1 | Remote Code Execution | Important | 5002119 | CVE-2022-21841 |
Microsoft Office 2016 (64-bit edition) | Remote Code Execution | Important | 5002116 | CVE-2022-21841 |
Microsoft Office 2016 (32-bit edition) | Remote Code Execution | Important | 5002116 | CVE-2022-21841 |
Microsoft Office LTSC 2021 for 32-bit editions | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft Office LTSC 2021 for 64-bit editions | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft Office LTSC for Mac 2021 | Remote Code Execution | Important | CVE-2022-21841 | |
Microsoft 365 Apps for Enterprise for 64-bit Systems | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft 365 Apps for Enterprise for 32-bit Systems | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft Office 2019 for Mac | Remote Code Execution | Important | CVE-2022-21841 | |
Microsoft Office 2019 for 64-bit editions | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft Office 2019 for 32-bit editions | Remote Code Execution | Important | Click to Run | CVE-2022-21841 |
Microsoft SharePoint Foundation 2013 Service Pack 1 | Remote Code Execution | Important | 5002127 | CVE-2022-21837 |
Microsoft SharePoint Server Subscription Edition | Remote Code Execution | Important | 5002111 | CVE-2022-21837 |
Microsoft SharePoint Server 2019 | Remote Code Execution | Important | 5002109 | CVE-2022-21837 |
Microsoft Dynamics 365 Customer Engagement V9.0 | Spoofing | Important | 5010574 | CVE-2022-21932 |
HEVC Video Extensions | Remote Code Execution | Critical | Upadate Information | CVE-2022-21917 |
Remote Desktop client for Windows Desktop | Remote Code Execution | Important | Release Notes | CVE-2022-21851 |
Microsoft Office Web Apps Server 2013 Service Pack 1 | Remote Code Execution | Critical | 5002122 | CVE-2022-21840 |
Microsoft Excel 2013 Service Pack 1 (64-bit editions) | Remote Code Execution | Critical | 5002128 | CVE-2022-21840 |
Microsoft Excel 2013 Service Pack 1 (32-bit editions) | Remote Code Execution | Critical | 5002128 | CVE-2022-21840 |
Microsoft Excel 2013 RT Service Pack 1 | Remote Code Execution | Critical | 5002128 | CVE-2022-21840 |
Microsoft Excel 2016 (64-bit edition) | Remote Code Execution | Critical | 5002114 | CVE-2022-21840 |
Microsoft Excel 2016 (32-bit edition) | Remote Code Execution | Critical | 5002114 | CVE-2022-21840 |
SharePoint Server Subscription Edition Language Pack | Remote Code Execution | Critical | 5002110 | CVE-2022-21840 |
Microsoft Office Online Server | Remote Code Execution | Critical | 5002107 | CVE-2022-21840 |
Microsoft SharePoint Enterprise Server 2013 Service Pack 1 | Remote Code Execution | Critical | 5001995 | CVE-2022-21840 |
Adobe released 5 patches fixing 41 CVEs in January. The bugs affect Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. And no surprises that the Acrobat and Reader patch fixes a massive 26 bugs in the software, including an RCE an attacker could exploit if the user opens a specially crafted PDF document.
But none the flaws patched by Adobe this month are known to be actively exploited in the wild at the time of release, but again that will likely change.
Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.
Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.
There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.
If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.
But that is it for another month and happy patching!