Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.

In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities. 

Products impacted by January 2022’s security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams. 

The zero-day vulnerabilities resolved in this update are: 

CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.
CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).
CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.
CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).
CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).

None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for

Read More: