Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits

[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

Update January 18

Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. For those that were experiencing problems or holding off on the updates, this update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.