Microsoft January 2022 Patch Tuesday fixes 6 zero-days, 97 flaws

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
Today is Microsoft's January 2022 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 97 flaws.

Microsoft has fixed 97 vulnerabilities (not including 29 Microsoft Edge vulnerabilities ) with today's update, with nine classified as Critical and 88 as Important.

The number of each type of vulnerability is listed below:
  • 41 Elevation of Privilege Vulnerabilities
  • 9 Security Feature Bypass Vulnerabilities
  • 29 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 9 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
Six zero-days fixed, none actively exploited
 

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
ZDI: The January 2022 Security Update Review
The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2022

For January, Adobe released 5 patches addressing 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. A total of 22 of these bugs came through the ZDI program. The update for Acrobat and Reader fixes a total of 26 bugs, the worst of which could lead to remote code execution (RCE) if a user opened a specially crafted PDF. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line. The update for InCopy fixes three Critical-rated RCE bugs and one Important-rated privilege escalation. The patch for InDesign corrects two Critical-rated Out-of-bounds (OOB) Write bugs that could lead to code execution plus a Moderate Use-After-Free privilege escalation. The fix for Adobe Bridge covers six bugs, but only one OOB Write is listed as Critical. The others are a mix of privilege escalations and memory leaks. Finally, the patch for Illustrator covers two OOB Read bugs – neither of which can be used for code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2022

For January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previous fixed in open-source projects. This brings the January total to 122 CVEs.

This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.

Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable.
 
Last edited:

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
Ghacks: Microsoft Windows Security Updates January 2022 overview
Microsoft released security updates and non-security updates for all supported versions of its Windows operating system and other company products on January 11, 2022.

The first Patch Tuesday of the year 2022is already available via Windows Update, update management systems such as WSUS, and as direct downloads from the Microsoft Update Catalog.

The guide that you are reading has all the information that you require to make educated updating decisions. It links to all support pages and downloads, list critical vulnerabilities, includes a list of known issues, and also links to additional support pages and resources.

Executive Summary
  • Security updates have been released for all support client and server versions of the Windows operating system.
  • Microsoft released security updates for other company products as well, including .NET Framework, Microsoft Dynamics, Microsoft Office, Microsoft Edge, Microsoft Teams, Microsoft Windows Codecs Library, DirectX, Windows Defender, Windows Secure Boot and others.
  • The following client operating systems have known issues: Windows 7, Windows 8.1, Windows 10 version 1607, Windows 10 version 20H2, Windows 10 version 21H1, Windows 11
  • The following server operating systems have known issues: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
 
Last edited:

Gandalf_The_Grey

Level 62
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,113
‘Wormable’ Flaw Leads January 2022 Patch Tuesday
Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.