Microsoft Fixes Six Zero-Days and 97 Flaws Including an Exchange Vulnerability

Microsoft fixes a total of 97 security vulnerabilities, including six zero-day vulnerabilities.

In an update, the company announced that the critical vulnerability that emerged in the Microsoft Exchange service recently and the critical vulnerability in the HTTP Protocol Stack (HTTP.sys) of the Windows IIS server had been fixed. Primary, the HTTP.sys vulnerability has a 9.8 criticality level and allows remote control.

How Do Vulnerabilities Affect?

Microsoft fixed a total of 97 security vulnerabilities, including 41 Elevation of Privilege, 29 RCE, nine Security Feature Bypass, six Information Disclosure, nine Denial of Service, and three Spoofing vulnerabilities.

Nine of these vulnerabilities were classified as critical, while the remaining 88 were significant.

Although the technical details have not yet been released in the statement made within the scope of “Patch Tuesday,” Microsoft fixed the vulnerability that enables RCE on Microsoft Exchange Servers with the code CVE-2022-21969 and a criticality level of 9.0.

Microsoft has also fixed a critical vulnerability in the HTTP Protocol Stack of the Windows IIS server.

Unauthenticated cyber threat actors can exploit the vulnerability with code CVE-2022-21907 and a criticality level of 9.8 by sending malicious packets to a targeted server using HTTP Protocol Stack (HTTP.sys), and this vulnerability enables RCE.

In addition, the error in sending e-mail due to the date error that appeared on Exchange servers as of January 1, 2022, was also fixed by Microsoft. It is known that the error in question is called Y2K22 andaffectsmanyinstitutions.

The six zero-days Microsoft closed are not known to be actively exploited. However, the zero-days are listed as follows:

CVE-2021-22947 – Open Source Curl Remote Code Execution Vulnerability
CVE-2021-36976 – Libarchive Remote Code Execution Vulnerability
CVE-2022-21919 – Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-21836 – Windows Certificate Spoofing Vulnerability
CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability

Although the Curl and Libarchive security vulnerabilities in the above list have already been fixed, these fixes were not made by Windows. However, it is thought that cyber threat actors will soon exploit the vulnerabilities as their PoCs are published.

How to Fix Vulnerabilities?

Windows users should install the January 2022 updates to avoid security risks and fix vulnerabilities immediately.

Bleeping Computer has released the complete list of vulnerabilities fixed and published recommendations in the January 2022 Patch Tuesday updates. You can read the full report for a full description of each vulnerability and the systems it affects.