Exchange administrators who stayed up late to ring in the new year and got their bells rung thanks to a date-format error have another headache coming in the form of multiple patches for the messaging platform.
Microsoft fixed 97 unique vulnerabilities, including nine rated critical and six publicly disclosed, on January Patch Tuesday. There were no zero-day vulnerabilities this month.
Administrators who manage an on-premises Exchange Server 2016 or 2019 systems got a surprise on New Year’s Day when a so-called Y2K22 date-check problem crashed the malware engine and held messages in the Exchange transport queues. Microsoft initially instructed administrators to disable the antimalware scanner, then released instructions on Jan. 1 for a full-fledged correction.
“It’s not a patch, but a set of scripts people have to run,” said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. “Any organization that did the initial antimalware workaround should go back and do the proper update and restart those services, so that they’re not leaving themselves exposed.”
On January Patch Tuesday, more work awaits Exchange admins. Microsoft corrected three remote-code execution vulnerabilities (CVE-2022-21846, CVE-2022-21855 and CVE-2022-21969) for the messaging platform that appear to be variations of the same vulnerability. Each bug registers 9.0 on the Common Vulnerability Scoring System (CVSS) and has the same FAQ text saying the “vulnerability’s attack is limited at the protocol level to a logically adjacent topology,” such as a local IP subnet, meaning the attack cannot come directly from the internet.
Of the three, CVE-2022-21846 has a higher critical severity level; Microsoft credited the National Security Agency for disclosing this flaw. Goettl said each CVE credits a different source, which could mean more trouble for Exchange Server on the horizon.
“That could mean that they’re into a code area with more to find. With Log4j, we’ve got now five vulnerabilities that have been uncovered since the first exploit. When we dealt with PrintNightmare last year, a series of print-spooler related vulnerabilities followed,” Goettl said. “This could be the first finding with more to come or — fingers crossed — since three variations were found very close together, they’ve found all of it.”
Six public disclosures in the Windows OS resolved
All the public disclosures for January Patch Tuesday originate in the Windows OS, so applying the cumulative update for affected systems will correct those vulnerabilities.
Rated important, CVE-2022-21839 is a Windows Event Tracing Discretionary Access Control List denial-of-service vulnerability for Windows 10 and Windows Server 2019 systems. Goettl said there is proof-of-concept code for this bug, which increases the possibility of a successful exploit.
A Windows Certificate spoofing vulnerability (CVE-2022-21836) rated important affects all current Windows server and desktop systems, and the Windows 7 and Windows Server 2008 OSes in the Extended Security Update (ESU) program. Applying the patch will correct this issue, but Microsoft’s notes also recommend customers use Windows Defender Application Control to deny unapproved programs from running.
Rated important, CVE-2022-21919 is an elevation-of-privilege vulnerability in the Windows User Profile Service that affects all supported Windows systems, from the OSes in the ESU up to Windows 11 and Windows Server 2022.
A Windows Security Center API remote-code execution vulnerability (CVE-2022-21874) rated important affects newer versions of Windows.
CVE-2021-22947 and CVE-2021-36976 are both related to open source libraries used in Windows. CVE-2021-22947 corresponds to a critical remote-code execution vulnerability in curl, a command-line tool used to transmit data with different network protocols. CVE-2021-36976 is a remote-code execution vulnerability rated important in the libarchive, which opens and creates several archive formats.
Other security updates of note from January Patch Tuesday
An HTTP Protocol Stack remote-code execution vulnerability (CVE-2022-21907) is rated critical with a CVSS of 9.8 and affects newer versions of Windows server and desktop systems. Microsoft provided a mitigation in the form of a registry key to expedite the ability to protect systems before applying the patch because the vulnerability is “wormable.”
A remote-code execution vulnerability (CVE-2022-21840) rated critical affects several products in the Microsoft Office product family, including Microsoft 365 Apps for Enterprise, Microsoft Office 2019 for Mac and Windows and SharePoint Server 2019. The preview pane is not an attack vector for the vulnerability; the exploitation requires the user to open a specially crafted file that could originate from an email attachment or a compromised website.
Microsoft unveils update to patch notification system
The Microsoft Security Response Center released a blog post on January Patch Tuesday to alert customers to an update to its notification system to use any email address rather than a Live ID email account. Once registered, users can customize the settings to get one of two types of notifications: major updates and all updates.
“Major updates include new CVEs that are published and existing CVEs that are republished due to a change in software updates in the Security Updates table. Major updates, or Revisions, are marked with an incremented initial number such as 1.0, 2.0, etc.,” the company wrote in the blog. “Minor updates are changes to FAQs or Acknowledgements or other informational type revisions. These types of revisions are marked with an incremented final number such as 1.1, 3.2, etc.”
Microsoft plans to start using the new process in February and said once this notification system reaches “critical mass,” it will stop sending emails from the current system. While administrators use a variety of tools and methods to track Microsoft patch releases, an important release could go unnoticed in this era where fixes for Windows frequently come outside of the Patch Tuesday cycle.
“Edge browser updates come two or three times a month on average. People want to be notified about those things,” Goettl said. “There was what was referred to as a ‘black screen’ issue happening recently that Microsoft released an out-of-band fix for. It wasn’t security-related, but it was an operational-level issue. This could be used to notify people about those types of updates.”