page = krebs on security – in-depth security news and …
url = https://krebsonsecurity.com
Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.
Nine of the vulnerabilities fixed in this month’s Patch Tuesday received Microsoft’s “critical” rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.
By all accounts, the most severe flaw addressed today is CVE-2022-21907, a critical, remote code execution flaw in the “ HTTP Protocol Stack .” Microsoft says the flaw affects Windows 10 and Windows 11 , as well as Server 2019 and Server 2022 .
“While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” said Dustin Childs from Trend Micro’s Zero Day Initiative . “Test and deploy this patch quickly.”
Quickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw was posted online .
Microsoft also fixed three more remote code execution flaws in Exchange Server , a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.
Microsoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target’s network somehow to exploit them. But Satnam Narang at Tenable notes Microsoft has labeled all three Exchange flaws as “exploitation more likely.”
“One of the flaws, CVE-2022-21846 , was disclosed to Microsoft by the National Security Agency ,” Narang said. “Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.” Continue reading →
‘Wormable’ Flaw Leads January 2022 Patch Tuesday