January 11, 2022

Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.

Nine of the vulnerabilities fixed in this month’s Patch Tuesday received Microsoft’s “critical” rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.

By all accounts, the most severe flaw addressed today is CVE-2022-21907, a critical, remote code execution flaw in the “HTTP Protocol Stack.” Microsoft says the flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022.

“While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “Test and deploy this patch quickly.”

Quickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw was posted online.

Microsoft also fixed three more remote code execution flaws in Exchange Server, a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.

Microsoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target’s network somehow to exploit them. But Satnam Narang at Tenable notes Microsoft has labeled all three Exchange flaws as “exploitation more likely.”

“One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency,” Narang said. “Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.”

Security firm Rapid7 points out that roughly a quarter of the security updates this month address vulnerabilities in Microsoft’s Edge browser via Chromium.

“None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today,” Rapid7’s Greg Wiseman said. “This includes two Remote Code Execution vulnerabilities affecting open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.”

Wiseman said slightly less scary than the HTTP Protocol Stack vulnerability is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server.

“Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website,” he said. “Thankfully the Windows preview pane is not a vector for this attack.”

Other patches include fixes for .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and the Windows Remote Desktop Protocol (RDP). As usual, the SANS Internet Storm Center has a per-patch breakdown by severity and impact.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Update, Jan. 12, 9:02 a.m.: Apparently some of the updates Microsoft released yesterday — KB5009557 (2019) and KB5009555 (2022) — are causing something to fail on domain controllers, which then keep rebooting every few minutes. That’s according to this growing thread on Reddit (hat tip to @campuscodi).


23 thoughts on “‘Wormable’ Flaw Leads January 2022 Patch Tuesday

  1. Clausewitz4.0

    Thanks Krebs for the always good security update.

    Keep up the good work, always remembering, sometimes it is difficult to catch those hackers, and sometimes it is just impossible.

  2. Dave Horsfall

    The phrase “the usual gaping chest wounds” springs to mind; it’s the only system I know of that prioritises eye-candy over security (and I’ve been programming since the late 60s; yes, even when I was in school).

    1. clippy sez

      eye candy took a bow to telemetry data, browser lockins and in-menu ads a ways back

    2. Tom Welsh

      Dave, it’s also commercially the most successful (and profitable) OS by far that the world has ever seen. Methinks the two characteristics are connected somehow. And will be, until users get smart enough to prioritise security over eye-candy.

  3. Mike Jackson

    After completing today’s Security Patches, rebooting, checking again for any Updates (W10), rebooting again, I left my machine on for a good old-fashioned defrag. Everything completed without a hitch. 90 minutes later my machine rebooted without warning. Hopefully I just missed something. And hopefully “someone” didn’t find something to make this surprise reboot.

  4. Ingmars

    If you use L2TP VPNs then I would hold off from installing these updates. KB5009543 seems to break l2tp vpn connections (I ran into this issue and it seems that more reports are surfacing on places like reddit). Uninstalling it seems to fix the issue.

  5. Nemafu

    True or false, the cumulative and only security updates (both) for windows 7 damage (bsod) system and other issues. And the only safety updates for that operating system are the NET packages and the msrt.

  6. mark

    Warning, from a friend:
    …[T]he Tuesday update from Microsoft for Windows 10 21H2 breaks at least IPSEC, L2TP, and IKEv2, probably others.

    The fix is to remove KB5009543; there may be other KB numbers if you’re not
    up tot 21H2. The removal command is (as Administrator):

    wusa /uninstall /kb:5009543

  7. aardvark9

    I can confirm that KB5009557 on my Server 2019 domain controllers does not play nicely as I’ve been dealing with constant reboots.

  8. ND

    Thankfully it was just a test environment but I still lost half a day fixing the domain controller issue.

  9. Lisa Williams

    The recently release windows updates for 2022-01 are failing upon install.

  10. Suresh Subramanian

    For me uninstall the Jan 2022 cumulative pack destroys the below

    1. No windows task bar
    2. Windows Explorer Frequently crashing

    This update wasted all my productive hours. The year update start with lot of issues. Can’t test and release without breaking the working product

  11. John Doe

    After installing KB5009543, I can’t connect to Exchange 2003 server.
    I get the message from Outlook saying
    “unable to open your default e-mail folders. The Microsoft exchange is not available. Either there are network problems or the exchange server is down”
    When I remove the KB it works.
    Any ideas?

      1. John Doe

        Ancient, legacy, off the internet service.. No one wants to rebuild it and rewrite 200,000 lines of code.

  12. Indigoapply

    The flag that enables this vulnerability is set on ADFS servers. If you have ADFS server you need to patch. I checked my 2019 servers and they did not have the required key in registry.

  13. CORTNEY BROWN

    ZERO DAY ATTACKS HAVE BEEN ONE OF THE MOST MALICIOUS THROUGHOUT THE YEARS, AND WILL CONTINUE.. WHAT IS THE SOLUTION ?

  14. edwin

    it’s crazy to think that there were that many holes, with the “wormable” one being able to cause lots of problems!

Comments are closed.