Patch Tuesday: Six zero-days and over 90 vulnerabilities fixed


Microsoft has released 96 security fixes, including updates to address six zero-day vulnerabilities.

In its latest round of fixes, which are typically released on the second Tuesday of each month as part of what’s known as Patch Tuesday, Microsoft fixes issues such as remote code execution (RCE) exploits, elevation of privilege flaws, identity theft issues and XSS (cross-site scripting) vulnerabilities.

Products impacted by the January 2022 security update include Microsoft Exchange Server, Office suite of software, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.

Zero-day

The zero-day vulnerabilities addressed in this update are:

  • CVE-2021-22947 : attributed to HackerOne, it is an open source RCE Curl allowing Man-in-The-Middle (MiTM) attacks;
  • CVE-2021-36976 : attributed to MITER, this is a usage bug after the release of Libarchive in open source leading to an RCE;
  • CVE-2022-21874 : a local RCE vulnerability of the Windows Security Center API (CVSS 7.8);
  • CVE-2022-21919 : An elevation of privilege security issue in Windows User Profile Service (CVSS 7.0), PoC exploit code stored;
  • CVE-2022-21839 : Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1);
  • CVE-2022-21836: spoofing of Windows certificates, recorded PoC code (CVSS 7.8).

None of the above zero-day vulnerabilities are known to have been exploited so far. A total of 24 vulnerabilities were fixed earlier this month in Microsoft Edge (based on Chromium). According to the Zero Day Initiative (ZDI), this number is unusual for the month of January, with previous years often marked by half that number.

Increase in flaws to be corrected

Microsoft also announced an update to the Security Update Guide notification system, with standard email addresses now accepted during registration instead of just Live credentials.

Last month, Microsoft released 67 security fixes as part of the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues addressed, along with six zero-day security vulnerabilities. One of these was CVE-2021-43890, a bug in Windows AppX installer actively exploited to distribute Emotet, Trickbot, and Bazaloader malware.

A month earlier, the tech giant fixed 55 vulnerabilities during Patch Tuesday in November 2021.

In recent Microsoft news, the company released an emergency fix earlier this month for a bug affecting on-premises Exchange servers. A date verification issue prevented mail from passing smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.


Along with Microsoft’s Patch Tuesday, other vendors are also releasing their security fixes:

Source: ZDNet.com





Source link -97