First Patch Tuesday of 2022 Brings Fix for a Critical ‘Wormable’ Windows Vulnerability

Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes across its software ecosystem while urging customers to prioritize patching for what it calls a critical “wormable” vulnerability.

Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.

The patches cover a swath of the computing giant’s portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

Chief among them is CVE-2022-21907 (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. “In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,” Microsoft noted in its advisory.

Russian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that it’s wormable, meaning no user interaction is necessary to trigger and propagate the infection. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *