Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed

RV_ · January 11, 2022

I updated my eight systems without any issues with this update. I mention that every month because most regular folks here know I have from older to the newest Intel computer systems, and a wide spread of processors and form factors. If the updates don't kill any of mine the updates are fairly safe. List of my systems at the bottom.

If you are one who delays updates I'd suggest getting this set today.

Excerpt:

"This month's round of security fixes includes patches for publicly-known remote code execution bugs.

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.

In the Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities.

Products impacted by January 2022's security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.

The zero-day vulnerabilities resolved in this update are:

CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.
CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.
CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).
CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.
CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).
CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).

None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for the month of January, with previous years often being roughly half this number.

Microsoft has also announced a refreshed Security Update Guide notification system, with standard email addresses now being accepted at signup rather than only Live IDs.

Last month, Microsoft published 67 security fixes in the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues patched, alongside six zero-day security flaws. One of the zero-days tackled was CVE-2021-43890, a bug in the Windows AppX Installer that is being actively exploited in the wild to spread Emotet, Trickbot, and Bazaloader malware.

A month prior, the tech giant tackled 55 vulnerabilities during the November 2021 Patch Tuesday.

In recent Microsoft news, earlier this month the company published an emergency fix for a bug impacting on-premise Exchange Servers. A date-check failure glitch prevented mail to move smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.

Alongside Microsoft's Patch Tuesday round, other vendors, too, will publish security updates which can be accessed below.