Microsoft reveals a list of fixes for the first "Patch Tuesday" of the year 2022, which includes those for several of the vulnerabilities in its systems such as the Microsoft Windows, as well as Zero-Days which can be exploited if they are not addressed.
The said vulnerabilities that the software manufacturer have fixed includes exploits in its remote code execution, or the RCE, as well as privilege escalation flaws, spoofing issues, and those are in its cross-site scripting.
Vulnerabilities Fixed
According to BleepingComputer.com, a total of 97 vulnerabilities were fixed by Microsoft for its first "Patch Tuesday" of 2022.
These include 41 vulnerabilities within its Elevation of Privilege, 9 vulnerabilities within its Security Feature Bypass, 29 vulnerabilities within its Remote Code Execution, 6 vulnerabilities within its Information Disclosure, 9 vulnerabilities within its Denial of Service, and 3 Spoofing vulnerabilities.
READ ALSO: Windows 11 Update Error Code 0x800f0831 Fix Guide: What are the Ways to Fix This
The said fixes, according to ThreatPost.com, cover several of its software programs such as Microsoft Windows operating system and Office including their components, Microsoft Edge, its Exchange and SharePoint Servers, its .NET framework, its Microsoft Dynamics, its Open-Source Software, and its Windows Hyper-V, Defender, and Remote Desktop Protocol (RDP).
Aside from the fixes for the large list of vulnerabilities, the first patch update of the year from Microsoft also addressed at least six Zero-Days.
According to ZDNet.com, these include the CVE-2021-22947 HackerOne assigned CVE, which is a Curl remote code execution (RCE) that allows Man-in-the-Middle attacks, and the CVE-2021-36976 MITRE assigned CVE, which is an open sourced Libarchive use-after-free bug leading to an RCE.
They also include four more CVEs that involve around Windows software such as the CVE-2022-21874, which is a local Windows Security Center API RCE vulnerability, the CVE-2022-21919, which is a Window User Profile Service Elevation of Privilege security issue, the CVE-2022-21839, which is a Windows Event Tracing Discretionary Access Control List Denial-of-Service, or DoS, and the CVE-2022-21836, which is a Windows Certificate spoofing.
These six CVEs are not being actively exploited by threat actors who wanted to exploit them. However, the CVE-2022-21919 and the CVE-2022-21836 have their Proof of Concept (PoC) public exploit code recorded and available.
The CVE-2021-22947 HackerOne assigned CVE, on the other hand, was branded as "Critical," but it was already been fixed by their maintainers along with the CVE-2021-36976 MITRE assigned CVE.
Another CVE that was addressed by the patch update is the CVE-2022-21907, which is a bug that is discovered in the HTTP Protocol Stack, or the HTTP.sys, that was used as a protocol listener for processing HTTP requests by the Microsoft's Windows Internet Information Services web server.
According to a separate article by BleepingComputer.com, if it was exploited successfully, threat actors can send maliciously crafted packets towards targeted Windows servers, which are using the said protocol stack for processing packets.
According to Zero Day Initiative, they are a part of 122 CVEs that Microsoft fixed for the month January, which is an "unusually large" update by the company, considering that over the past few years, the average number of patch releases during January is about half of the number the update had this year.
The other CVEs that are in Microsoft's January 2022 patch update also include the additional 24 CVEs inside the Chromium-based Microsoft Edge that was addressed earlier this month and two other CVEs in open-source projects that were previously fixed.
READ ALSO: Windows 10 Error 0x0 0x0 Guide: What Causes it, How to Fix it