The first Patch Tuesday release of 2022 includes fixes for 97 CVEs — nine that are rated critical, including four zero-day vulnerabilities, which were publicly disclosed but were not exploited in the wild.
“Microsoft patched CVE-2022-21907, a critical remote code execution flaw in the HTTP Protocol Stack. To exploit this vulnerability, a remote, unauthenticated attacker could send a specially crafted request to a vulnerable server using the HTTP Protocol Stack. Microsoft warns that this vulnerability is wormable, meaning no human interaction would be required for an attack to spread from system to system. As such, organisations that utilise the HTTP Protocol Stack should prioritise patching this vulnerability as soon as possible.
“Additionally, Microsoft patched three remote code execution vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855). All three are rated as “exploitation more likely.” One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency. Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.”