Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days

The large January 2022 Patch Tuesday update covers nine critical CVEs, including a self-propagator with a 9.8 CVSS score.

Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update – nine of them rated critical – including six that are listed as publicly known zero-days.

The fixes cover a swath of the computing giant’s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

“This is an unusually large update for January,” Dustin Childs, a researcher with Trend Micro’s Zero Day Initiative (ZDI), explained. “Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021 [Microsoft patched 67 bugs in December].”

Zero-Day Tsunami

None of the zero-days are listed as being actively exploited, though two (CVE-2022-21919 and CVE-2022-21836) have public exploit code available. They are:

CVE-2021-22947: HackerOne-assigned CVE in open-source Curl library (RCE) CVE-2021-36976: MITRE-assigned CVE in

Read More: https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/