For a detailed advisory, download the pdf file here.
Microsoft has fixed 97 vulnerabilities, with nine classified as Critical and 88 as Important and among them 6 zero-days.
Following are the type of security vulnerabilities reported in multiple Microsoft products:
41 Elevation of Privilege Vulnerabilities29 Remote Code Execution Vulnerabilities9 Security Feature Bypass Vulnerabilities6 Information Disclosure Vulnerabilities9 Denial of Service Vulnerabilities3 Spoofing Vulnerabilities
Six zero-day vulnerabilities were addressed in the January’s patch Tuesday:
CVE-2021-22947: Remote Code-Execution vulnerability in open-source Curl library.CVE-2021-36976: Remote Code-Execution vulnerability in open-source Libarchive.CVE-2022-21874: Remote Code-Execution vulnerability in Local Windows Security Center API.CVE-2022-21919: Privilege escalation vulnerability in Windows User Profile Service.CVE-2022-21839: Denial-of-Service vulnerability in Windows Event Tracing Discretionary Access Control List.CVE-2022-21836: Spoofing vulnerability in Windows Certificate.
Some of the critical vulnerabilities are listed below:
CVE-2022-21846: Remote Code-Execution vulnerability in Microsoft exchange server which.CVE-2022-21840: Remote Code-Execution vulnerability in Microsoft Office 365.CVE-2022-21857: Active Directory Domain Services Elevation of Privilege VulnerabilityCVE-2022-21898: Privilege escalation vulnerability in DirectX Graphics.CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability.CVE-2022-21907: HTTP Protocol Stack Remote Code-Execution VulnerabilityCVE-2022-21917: HEVC Video Extensions Remote Code-Execution Vulnerability.
Out of the critical bugs, a Remote Code-Execution (CVE-2022-21907) issue in the HTTP protocol stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Successful exploitation requires an attacker to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.
Hive Pro threat researchers recommend users to prioritize patching this flaw on all the affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.