Microsoft's "massive" January Patch Tuesday update fixes 90+ security flaws
The update was rolled out as part of a mandatory patch for Windows 11 users
Microsoft has started rolling out the KB5009566 cumulative update for Windows 11 - with security updates, performance improvements and fixes for known vulnerabilities - to PCs outside the Windows Insiders programme.
KB5009566 is mandatory to install, as it contains the January 2022 Patch Tuesday security updates for a variety of bugs uncovered in previous months.
The only non-security fix in KB50009566 is for a known issue with Japanese Input Method Editors (IME).
'When you use a Japanese IME to enter text, the text might appear out of order or the text cursor might move unexpectedly in apps that use the multibyte character set (MBCS),' the update text states.
The update also makes quality improvements to the servicing stack, in order to ensure that users' devices can receive and install Microsoft updates.
As for the Windows 10 KB5009585 update, the only highlight listed in the support bulletin pertains to security updates.
In its latest round of security patches, Microsoft has plugged 97 security holes in Windows and supported software, including Windows Kernel, RDP, Cryptographic Services, Windows Certificate, Microsoft Teams, the Office software line, and Windows Defender.
Elevation of privilege (EoP) bugs accounted for 42 per cent of the security vulnerabilities patched this month, followed by remote code execution (RCE) bugs at 30 per cent.
Of all the vulnerabilities fixed in January update, nine had a 'critical' rating, meaning they can be exploited by attackers or malware to gain remote access to vulnerable Windows systems without any help from the user.
Six of the bugs patched, listed below, were already in the public domain, potentially giving threat actors a head start in figuring out how to exploit these zero-days in vulnerable systems. However, security researchers say that none of them have been actively exploited in attacks.
- CVE-2022-21836: Windows Certificate Spoofing vulnerability
- CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) vulnerability
- CVE-2022-21874: Windows Security Center API RCE vulnerability
- CVE-2022-21919: A Windows User Profile Service Elevation of Privilege Vulnerability
- CVE-2021-22947: An Open Source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks
- CVE-2021-36976: An Open Source Libarchive use-after-free bug resulting in remote code execution
A critical bug patched this month is CVE-2022-21907, a remote code execution flaw in Microsoft's HTTP Protocol Stack (http.sys). This flaw, which received a 9.8 CVSSv3 score, is 'wormable,' meaning no user interaction is required for it to spread from one vulnerable system to another. A remote, unauthenticated attacker can exploit the bug by sending a crafted packet to an affected server.
CVE-2022-21969, CVE-2022-21846 and CVE-2022-21855 are RCEs in Microsoft Exchange Server, all rated as 'Exploitation More Likely' with a CVSSv3 score of 9.0.
These bugs require adjacent attack, meaning the attack 'cannot simply be done across the internet, but instead needs something specific tied to the target.'
"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell - reportedly the worst vulnerability seen in decades," said Bharat Jogi, director of vulnerability and threat research at Qualys.
"Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks - and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment.
"It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation's crown jewels."