Microsoft January 2022 Security Updates address 10 Critical vulnerabilities

By / / Security Updates & Patches, Vulnerabilities & Exploits / CVE-2021-22947, CVE-2021-44228, CVE-2022-21833, CVE-2022-21840, CVE-2022-21846, CVE-2022-21857, CVE-2022-21898, CVE-2022-21907, CVE-2022-21912, CVE-2022-21917

Microsoft has released the January 2022 Security Updates that includes patches and advisories for 127 vulnerabilities, 10 of those rated Critical.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:

  • .NET Framework
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Teams
  • Microsoft Windows Codecs Library
  • Open Source Software
  • Role: Windows Hyper-V
  • Tablet Windows User Interface
  • Windows Account Control
  • Windows Active Directory
  • Windows AppContracts API Server
  • Windows Application Model
  • Windows BackupKey Remote Protocol
  • Windows Bind Filter Driver
  • Windows Certificates
  • Windows Cleanup Manager
  • Windows Clipboard User Service
  • Windows Cluster Port Driver
  • Windows Common Log File System Driver
  • Windows Connected Devices Platform Service
  • Windows Cryptographic Services
  • Windows Defender
  • Windows Devices Human Interface
  • Windows Diagnostic Hub
  • Windows DirectX
  • Windows DWM Core Library
  • Windows Event Tracing
  • Windows Geolocation Service
  • Windows HTTP Protocol Stack
  • Windows IKE Extension
  • Windows Installer
  • Windows Kerberos
  • Windows Kernel
  • Windows Libarchive
  • Windows Local Security Authority
  • Windows Local Security Authority Subsystem Service
  • Windows Modern Execution Server
  • Windows Push Notifications
  • Windows RDP
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop
  • Windows Remote Procedure Call Runtime
  • Windows Resilient File System (ReFS)
  • Windows Secure Boot
  • Windows Security Center
  • Windows StateRepository API
  • Windows Storage
  • Windows Storage Spaces Controller
  • Windows System Launcher
  • Windows Task Flow Data Engine
  • Windows Tile Data Repository
  • Windows UEFI
  • Windows UI Immersive Server
  • Windows User Profile Service
  • Windows User-mode Driver Framework
  • Windows Virtual Machine IDE Drive
  • Windows Win32K
  • Windows Workstation Service Remote Protocol

Critical RCE vulnerabilities

Microsoft addressed 8 separate Critical remote code execution (RCE) vulnerabilities in multiple versions of Windows 10, Windows 11, Windows Server (multiple), Office app, Microsoft 365, Team Foundation, Azure, and multiple other software products. Patches were also made available for older versions of Windows (versions 7 and 8.1).

The Critical RCE patches and advisories are summarized below:

  1. CVE-2022-21840: Microsoft Office RCE Vulnerability
  2. CVE-2022-21846: Microsoft Exchange Server RCE Vulnerability
  3. CVE-2022-21898: DirectX Graphics Kernel RCE Vulnerability
  4. CVE-2022-21907: HTTP Protocol Stack RCE Vulnerability
  5. CVE-2022-21912: DirectX Graphics Kernel RCE Vulnerability
  6. CVE-2022-21917: HEVC Video Extensions RCE Vulnerability
  7. CVE-2021-22947: Open Source Curl RCE Vulnerability
  8. CVE-2021-44228: Apache Log4j RCE Vulnerability

As readers may know, researchers had discovered a Critical 0-day vulnerability (CVE-2021-44228) in Apache Log4j “Log4Shell” logging utility under active attack last month.

“Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” Microsoft noted in the advisory.

Critical Elevation of Privilege vulnerabilities

Moreover, Microsoft addressed two Critical elevation of privilege vulnerabilities that affect Virtual Machine IDE Drive (CVE-2022-21833) and Active Directory Domain Services (CVE-2022-21857).

Microsoft warned the latter update “resolves an elevation of privilege vulnerability specific to Active Directory Domain Services environments with incoming trusts.” That issue has a CVSS base score of 8.8.

Other security updates

In addition to the Critical RCEs and zero-day fixes, Microsoft also patched an additional 92 other vulnerabilities across multiple products rated “Important.” The tech giant also addressed 24 Microsoft Edge (Chromium-based) vulnerabilities.

Finally, readers can review the January 2022 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.