Microsoft January 2022 Patch Tuesday Fixes 6 Zero-days, 97 Flaws
Today is Microsoft’s January 2022 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 97 flaws.
Also Read: 6 Ways to Protect Your Business From Employee Data Theft
Microsoft has fixed 97 vulnerabilities (not including 29 Microsoft Edge vulnerabilities ) with today’s update, with nine classified as Critical and 88 as Important.
The number of each type of vulnerability is listed below:
- 41 Elevation of Privilege Vulnerabilities
- 9 Security Feature Bypass Vulnerabilities
- 29 Remote Code Execution Vulnerabilities
- 6 Information Disclosure Vulnerabilities
- 9 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
Six zero-days fixed, none actively exploited
This month’s Patch Tuesday includes fixes for six publicly disclosed zero-day vulnerabilities. The good news is that none of them have been actively exploited in attacks.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The publicly disclosed vulnerabilities fixes as part of the December 2021 Patch Tuesday are:
- CVE-2021-22947 – Open Source Curl Remote Code Execution Vulnerability
- CVE-2021-36976 – Libarchive Remote Code Execution Vulnerability
- CVE-2022-21919 – Windows User Profile Service Elevation of Privilege Vulnerability
- CVE-2022-21836 – Windows Certificate Spoofing Vulnerability
- CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
- CVE-2022-21874 – Windows Security Center API Remote Code Execution Vulnerability
Both the Curl and Libarchive vulnerabilities had already been fixed by their maintainers but the fixes were not added to Windows until today.
However, as many of these have public proof-of-concept exploits available, they will likely be exploited by threat actors soon.
Recent updates from other companies
Other vendors who released updates in January 2022 include:
- Adobe’s January updates are released today.
- Android’s December security updates were released last week.
- Cisco released security updates for numerous products this month, including Cisco Prime Infrastructure and Cisco Common Services Platform Collector.
- SAP released its January 2022 security updates.
- VMWare released fixes for a code execution vulnerability in VMWare Workstation, Fusion, and ESXi.
The January 2022 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities and released advisories in the January 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.
Also Read: The 6 Types of Shredder Security Levels: Advantage Business Equipment
Tag | CVE ID | CVE Title | Severity |
---|---|---|---|
.NET Framework | CVE-2022-21911 | .NET Framework Denial of Service Vulnerability | Important |
Microsoft Dynamics | CVE-2022-21932 | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | Important |
Microsoft Dynamics | CVE-2022-21891 | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2022-0105 | Chromium: CVE-2022-0105 Use after free in PDF | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0102 | Chromium: CVE-2022-0102 Type Confusion in V8 | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0104 | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0101 | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0103 | Chromium: CVE-2022-0103 Use after free in SwiftShader | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0109 | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0110 | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0108 | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0106 | Chromium: CVE-2022-0106 Use after free in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0107 | Chromium: CVE-2022-0107 Use after free in File Manager API | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-21954 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2022-21970 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2022-21931 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2022-21929 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Moderate |
Microsoft Edge (Chromium-based) | CVE-2022-21930 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2022-0099 | Chromium: CVE-2022-0099 Use after free in Sign-in | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0100 | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0098 | Chromium: CVE-2022-0098 Use after free in Screen Capture | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0096 | Chromium: CVE-2022-0096 Use after free in Storage | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0097 | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0116 | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0117 | Chromium: CVE-2022-0117 Policy bypass in Service Workers | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0115 | Chromium: CVE-2022-0115 Uninitialized Use in File API | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0113 | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0114 | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0118 | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0111 | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0112 | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | Unknown |
Microsoft Edge (Chromium-based) | CVE-2022-0120 | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | Unknown |
Microsoft Exchange Server | CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
Microsoft Exchange Server | CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical |
Microsoft Exchange Server | CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
Microsoft Graphics Component | CVE-2022-21904 | Windows GDI Information Disclosure Vulnerability | Important |
Microsoft Graphics Component | CVE-2022-21903 | Windows GDI Elevation of Privilege Vulnerability | Important |
Microsoft Graphics Component | CVE-2022-21915 | Windows GDI+ Information Disclosure Vulnerability | Important |
Microsoft Graphics Component | CVE-2022-21880 | Windows GDI+ Information Disclosure Vulnerability | Important |
Microsoft Office | CVE-2022-21840 | Microsoft Office Remote Code Execution Vulnerability | Critical |
Microsoft Office Excel | CVE-2022-21841 | Microsoft Excel Remote Code Execution Vulnerability | Important |
Microsoft Office SharePoint | CVE-2022-21837 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
Microsoft Office Word | CVE-2022-21842 | Microsoft Word Remote Code Execution Vulnerability | Important |
Microsoft Windows Codecs Library | CVE-2022-21917 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
Open Source Software | CVE-2021-22947 | Open Source Curl Remote Code Execution Vulnerability | Critical |
Role: Windows Hyper-V | CVE-2022-21901 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
Role: Windows Hyper-V | CVE-2022-21900 | Windows Hyper-V Security Feature Bypass Vulnerability | Important |
Role: Windows Hyper-V | CVE-2022-21905 | Windows Hyper-V Security Feature Bypass Vulnerability | Important |
Role: Windows Hyper-V | CVE-2022-21847 | Windows Hyper-V Denial of Service Vulnerability | Important |
Tablet Windows User Interface | CVE-2022-21870 | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | Important |
Windows Account Control | CVE-2022-21859 | Windows Accounts Control Elevation of Privilege Vulnerability | Important |
Windows Active Directory | CVE-2022-21857 | Active Directory Domain Services Elevation of Privilege Vulnerability | Critical |
Windows AppContracts API Server | CVE-2022-21860 | Windows AppContracts API Server Elevation of Privilege Vulnerability | Important |
Windows Application Model | CVE-2022-21862 | Windows Application Model Core API Elevation of Privilege Vulnerability | Important |
Windows BackupKey Remote Protocol | CVE-2022-21925 | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | Important |
Windows Bind Filter Driver | CVE-2022-21858 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important |
Windows Certificates | CVE-2022-21836 | Windows Certificate Spoofing Vulnerability | Important |
Windows Cleanup Manager | CVE-2022-21838 | Windows Cleanup Manager Elevation of Privilege Vulnerability | Important |
Windows Clipboard User Service | CVE-2022-21869 | Clipboard User Service Elevation of Privilege Vulnerability | Important |
Windows Cluster Port Driver | CVE-2022-21910 | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | Important |
Windows Common Log File System Driver | CVE-2022-21897 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Common Log File System Driver | CVE-2022-21916 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Connected Devices Platform Service | CVE-2022-21865 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important |
Windows Cryptographic Services | CVE-2022-21835 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Important |
Windows Defender | CVE-2022-21921 | Windows Defender Credential Guard Security Feature Bypass Vulnerability | Important |
Windows Defender | CVE-2022-21906 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important |
Windows Devices Human Interface | CVE-2022-21868 | Windows Devices Human Interface Elevation of Privilege Vulnerability | Important |
Windows Diagnostic Hub | CVE-2022-21871 | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | Important |
Windows DirectX | CVE-2022-21898 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical |
Windows DirectX | CVE-2022-21918 | DirectX Graphics Kernel File Denial of Service Vulnerability | Important |
Windows DirectX | CVE-2022-21912 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical |
Windows DWM Core Library | CVE-2022-21852 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
Windows DWM Core Library | CVE-2022-21902 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
Windows DWM Core Library | CVE-2022-21896 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
Windows Event Tracing | CVE-2022-21872 | Windows Event Tracing Elevation of Privilege Vulnerability | Important |
Windows Event Tracing | CVE-2022-21839 | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | Important |
Windows Geolocation Service | CVE-2022-21878 | Windows Geolocation Service Remote Code Execution Vulnerability | Important |
Windows HTTP Protocol Stack | CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability | Critical |
Windows IKE Extension | CVE-2022-21843 | Windows IKE Extension Denial of Service Vulnerability | Important |
Windows IKE Extension | CVE-2022-21890 | Windows IKE Extension Denial of Service Vulnerability | Important |
Windows IKE Extension | CVE-2022-21883 | Windows IKE Extension Denial of Service Vulnerability | Important |
Windows IKE Extension | CVE-2022-21889 | Windows IKE Extension Denial of Service Vulnerability | Important |
Windows IKE Extension | CVE-2022-21848 | Windows IKE Extension Denial of Service Vulnerability | Important |
Windows IKE Extension | CVE-2022-21849 | Windows IKE Extension Remote Code Execution Vulnerability | Important |
Windows Installer | CVE-2022-21908 | Windows Installer Elevation of Privilege Vulnerability | Important |
Windows Kerberos | CVE-2022-21920 | Windows Kerberos Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2022-21881 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2022-21879 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Libarchive | CVE-2021-36976 | Libarchive Remote Code Execution Vulnerability | Important |
Windows Local Security Authority | CVE-2022-21913 | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | Important |
Windows Local Security Authority Subsystem Service | CVE-2022-21884 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important |
Windows Modern Execution Server | CVE-2022-21888 | Windows Modern Execution Server Remote Code Execution Vulnerability | Important |
Windows Push Notifications | CVE-2022-21867 | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | Important |
Windows RDP | CVE-2022-21851 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
Windows RDP | CVE-2022-21850 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
Windows RDP | CVE-2022-21893 | Remote Desktop Protocol Remote Code Execution Vulnerability | Important |
Windows Remote Access Connection Manager | CVE-2022-21914 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important |
Windows Remote Access Connection Manager | CVE-2022-21885 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important |
Windows Remote Desktop | CVE-2022-21964 | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | Important |
Windows Remote Procedure Call Runtime | CVE-2022-21922 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21961 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21959 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21958 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21960 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21963 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21892 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21962 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Resilient File System (ReFS) | CVE-2022-21928 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
Windows Secure Boot | CVE-2022-21894 | Secure Boot Security Feature Bypass Vulnerability | Important |
Windows Security Center | CVE-2022-21874 | Windows Security Center API Remote Code Execution Vulnerability | Important |
Windows StateRepository API | CVE-2022-21863 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | Important |
Windows Storage | CVE-2022-21875 | Windows Storage Elevation of Privilege Vulnerability | Important |
Windows Storage Spaces Controller | CVE-2022-21877 | Storage Spaces Controller Information Disclosure Vulnerability | Important |
Windows System Launcher | CVE-2022-21866 | Windows System Launcher Elevation of Privilege Vulnerability | Important |
Windows Task Flow Data Engine | CVE-2022-21861 | Task Flow Data Engine Elevation of Privilege Vulnerability | Important |
Windows Tile Data Repository | CVE-2022-21873 | Tile Data Repository Elevation of Privilege Vulnerability | Important |
Windows UEFI | CVE-2022-21899 | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | Important |
Windows UI Immersive Server | CVE-2022-21864 | Windows UI Immersive Server API Elevation of Privilege Vulnerability | Important |
Windows User Profile Service | CVE-2022-21895 | Windows User Profile Service Elevation of Privilege Vulnerability | Important |
Windows User Profile Service | CVE-2022-21919 | Windows User Profile Service Elevation of Privilege Vulnerability | Important |
Windows User-mode Driver Framework | CVE-2022-21834 | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | Important |
Windows Virtual Machine IDE Drive | CVE-2022-21833 | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | Critical |
Windows Win32K | CVE-2022-21882 | Win32k Elevation of Privilege Vulnerability | Important |
Windows Win32K | CVE-2022-21876 | Win32k Information Disclosure Vulnerability | Important |
Windows Win32K | CVE-2022-21887 | Win32k Elevation of Privilege Vulnerability | Important |
Windows Workstation Service Remote Protocol | CVE-2022-21924 | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | Important |
0 Comments