Security News > 2022 > January > Microsoft fixes wormable RCE in Windows Server and Windows (CVE-2022-21907)
The first Patch Tuesday of 2022 is upon us, and Microsoft has delivered patches for 96 CVE-numbered vulnerabilities, including a wormable RCE flaw in Windows Server.
Among the publicly known flaws are a "Critical" RCE in curl and "Important" RCE in libarchive open source libraries, which have now been "Fixed" in Windows 10, 11 and Server with the inclusion of the most recent versions of the libraries.
"Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable," says Satnam Narang, staff research engineer at Tenable.
CVE-2022-21840, an RCE in Microsoft Office and CVE-2022-21857, an elevation of privilege vulnerability in Active Directory Domain Services, should also be patched promptly.
For the moment security updates for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not ready.
Microsoft has not shared many details about CVE-2022-21857, except for saying that prior to the offered update, "An attacker could elevate privileges across the trust boundary under certain conditions." With Active Directory Domain Services being such a crucial element of many enterprises' network setup and markedly worthy of protection, patches for this vulnerability should be implemented sooner rather than later.
News URL
https://www.helpnetsecurity.com/2022/01/11/cve-2022-21907/
Related news
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- Microsoft lifts Windows 11 24H2 block on PCs with USB scanners (source)
- Microsoft says Auto HDR causes game freezes on Windows 11 24H2 (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Microsoft adds another problem to the Windows 11 24H2 naughty list (source)
- Microsoft may have scrapped Windows 11's dynamic wallpapers feature (source)
- Microsoft to force install new Outlook on Windows 10 PCs in February (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-11 | CVE-2022-21857 | Unspecified vulnerability in Microsoft products Active Directory Domain Services Elevation of Privilege Vulnerability | 0.0 |
| 2022-01-11 | CVE-2022-21840 | Unspecified vulnerability in Microsoft products Microsoft Office Remote Code Execution Vulnerability | 8.8 |