[German]As of January 11, 2022, Microsoft has released a number of security updates for Windows and Office that are supposed to eliminate vulnerabilities. However, some of these updates caused problems, disrupting functions in Windows. On January 14, 2022, Microsoft released a list of update revisions that I would like to briefly review in the wake of the January 2022 Patchday.
Advertising
I have extracted the information from Microsoft about the CVEs listed below, whose descriptions have been seriously changed again.
- CVE-2022-21840
- CVE-2022-21841
- CVE-2022-21880
- CVE-2022-21882
- CVE-2022-21893
- CVE-2022-21907
- CVE-2022-21913
Below are details on the vulnerabilities in question. These provide a good overview of what serious vulnerabilities are relevant to the January 2022 patchday and the consequences of failing to install the January 2022 security updates.
Office vulnerabilities (Mac)
For Office installations in support (Mac only), the following vulnerabilities were closed in January 2022.
CVE-2022-21840: Microsoft Office RCE
CVE-2022-21840 is a remote code execution (RCE) vulnerability in Microsoft Office for Mac that is rated critical. Here, Microsoft has provided an update and recommends installing the updates promptly. For the Windows track, Office users can ignore this vulnerability, as it is not present there.
CVE-2022-21841: Microsoft Excel RCE
The vulnerability CVE-2022-21841 is also present in Microsoft Excel for Mac and allows remote code execution. Microsoft provides security updates for the vulnerability described as important, which Mac users should install promptly.
Advertising
Windows vulnerabilities
More important to the blog's readership are the vulnerabilities in the still-supported versions of Windows that will be closed by the January 2022 updates. Users who run into problems with the update installation and need to uninstall these patches will find an overview of the details below.
CVE-2022-21880:Windows GDI+ Information disclosure
CVE-2022-21880 is an as important classified vulnerability in Windows GDI+ that allows information disclosure. Microsoft rates the probability of exploitation as low.
CVE-2022-21882: Win32k Privilege Escalation
In Win32k vulnerability CVE-2022-21882 allows an elevation of privilege. A local, authenticated attacker can gain elevated local system or administrator privileges through the vulnerability in the Win32k.sys driver. Because of the limitations, this vulnerability is rated important only. Microsoft is aware of a limited number of attacks that attempt to exploit this vulnerability.
CVE-2022-21893: Remote Desktop Protocol RCE
In Win32k vulnerability CVE-2022-21893 allows elevation of privilege. A local, authenticated attacker can gain elevated local system or administrator privileges through the vulnerability in the Win32k.sys driver. Because of the limitations, this vulnerability is rated important only. Microsoft is aware of a limited number of attacks that attempt to exploit this vulnerability.
CVE-2022-21907: HTTP Protocol Stack RCE
Vulnerability CVE-2022-21907 is located in the Windows HTTP protocol stack and is rated critical. The remote code execution vulnerability has already made waves because it is considered wormable, meaning it allows an attack to spread across a network. In most scenarios, an unauthenticated attacker could send a specially crafted packet to a target server that uses the HTTP protocol stack (http.sys) to process packets.
While the vulnerability was closed by the Windows 10/Windows Server updates (Patchday: Windows 10 updates (January 11, 2022)) as of January 11, 2022. The problem is that these updates cannot be installed in certain scenarios because of the collateral damage described in the article Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled.
The only option is then to wait for revision updates from Microsoft. There is one piece of good news, however, because Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled HTTP trailer support via the "EnableTrailerSupport" registry value, the systems are not vulnerable. Microsoft recommends delete the EnableTrailerSupport DWORD registry value, if present at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
This mitigation applies only to Windows Server 2019 and Windows 10, version 1809 and does not apply to Windows 20H2 and later.
CVE-2022-21913: Local Security Authority (Domain Policy) Remote Protocol
Vulnerability CVE-2022-21913 allows a security feature bypass, i.e. a security policy bypass. However, Microsoft only classifies the whole thing as important and sees the exploitability as unlikely. Microsoft has published the support article KB5010265 with more information about this.
Going through the list above, the HTTP Protocol Stack vulnerability CVE-2022-21907 seems to me to be the most critical. Here, administrators should check if the described measure to disable EnableTrailerSupport can be used. For the Exchange vulnerability CVE-2022-21846 an update is available (Security Updates for Exchange Server (January 2022)). I am not aware of any collateral damage here so far.
The Defender Information disclosure bug
For at least eight years, there has been a bug in Microsoft Defender that allows malware to query locations excluded from scanning and store malware there. The problem also affects Windows 10 21H1 and Windows 10 21H2, as Bleeping Computer colleagues describe in this article.
Similar articles:
Windows Server: Out-of-Band Update fixes Remote Desktop issues (2022/01/04)
Microsoft Office Updates (January 4, 2022)
Microsoft Security Update Summary (January 11, 2022)
Patchday: Windows 8.1/Server 2012 R2 Updates (January 11, 2022), boot loop reported
Patchday: Windows 10 Updates (January 11, 2022)
Patchday: Windows 11 Updates (January 11, 2022)
Patchday: Updates for Windows 7/Server 2008 R2 (January 11, 2022)
Windows Server: January 2022 security updates are causing DC boot loop
Windows VPN connections (L2TP over IPSEC) broken after January 2022 update
Windows Server 2012/R2: January 2022 Update KB5009586 bricks Hyper-V Host
Microsoft patch day issues Jan. 2022: bugs confirmed, but updates not pulled
Microsoft Microsoft Januar 2022 Patchday Revisions (2022/01/14)
Windows Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
Windows 10/Server: Out-of-band Updates fixes Jan. 2022 patch day issues (Jan. 17, 2022)
