During the first Patch Tuesday of 2022, Microsoft patched a number of critical vulnerabilities in Windows and Windows Server. One of the most serious vulnerabilities resides in the HTTP Protocol Stack and allows attackers to remotely execute code on a PC.
Windows monthly security update in January fixes a slew of 96 major and minor bugs in various Windows components, Office, Teams, Exchange Server, Edge and .NET Framework. Two vulnerabilities have been given a CVSS score of 9.8, which means they are highly critical. These are CVE-2022-21907 and CVE-2022-21849.
The first is an rce vulnerability that allows attackers to remotely execute code by sending a packet to a Windows computer using HTTP Protocol Stack. The attacker does not need to make the user perform an action and he does not need to have any privileges in the system. This makes this vulnerability very suitable for a worm and particularly affects server users. For example, a single attack can affect an entire intranet.
According to Microsoft, the vulnerability has not yet been exploited and no public proof-of-concept exploit is available yet. Still, Microsoft urges users to prioritize fixing this vulnerability in a system. The vulnerability was discovered by Russian security researcher Mikhail Medvedev.
The second to get a CVSS score of 9.8 is an rce vulnerability in Windows Internet Key Exchange version 2. An attacker can remotely trigger various vulnerabilities without authentication and thus execute code remotely. Only systems running IPSec are vulnerable to this attack, Microsoft writes.
In addition, there are a number of other vulnerabilities with relatively high CVSS scores. One is CVE-2022-21846. This rce vulnerability in Microsoft Exchange Server is rated 9 out of 10. That means it is critical, but Microsoft clarifies that this vulnerability cannot simply be exploited from the Internet, but access to the same physical network, or access to a shared secure network, for example an MPLS or secure VPN that provides access to an admin environment. This vulnerability was reported to Microsoft by the US intelligence agency NSA.