Microsoft patched 126 vulnerabilities in their January 2022 Patch Tuesday release. Out of these, nine are rated as critical severity. As of this writing, none of the 126 vulnerabilities are known to be actively exploited.
Microsoft has fixed problems in their software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and Denial of Service (DoS) issues.
This update covers products such as Microsoft Office, Microsoft Exchange Server, Windows Defender, Windows Virtual Machine IDE Drive, and the Edge browser.
The vulnerabilities are classified as:
- 3 Spoofing Vulnerabilities
- 10 Denial of Service Vulnerabilities
- 43 Elevation of Privilege Vulnerabilities
- 8 Information Disclosure Vulnerabilities
- 9 Security Feature Bypass Vulnerabilities
- 29 Remote Code Execution Vulnerabilities
Critical Microsoft Vulnerabilities Patched
- CVE-2022-21836 – Windows Certificate Spoofing Vulnerability
- CVE-2021-36976 – Libarchive Remote Code Execution Vulnerability
- CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability
- CVE-2021-22947 – Open-Source Curl Remote Code Execution Vulnerability
- CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2022-21849 – Windows IKE Extension Remote Code Execution Vulnerability
- CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21919 – Windows User Profile Service Elevation of Privilege Vulnerability
- CVE-2022-21837 – Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability
- CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
Visit the January 2022 Security Updates page to access the full description of each vulnerability and the systems that it affects.
Customers can scan their network with QIDs 91851, 91852, 91853, 91854, 110398, 110399, 50118, 376232 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan
https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/
https://www.zdnet.com/article/microsoft-january-2022-patch-tuesday-six-zero-days-over-90-vulnerabilities-fixed/
https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2022-patch-tuesday-fixes-6-zero-days-97-flaws/