Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Patch Tuesday: Web security issues in the spotlight in Microsoft’s bumper January update

A critical vulnerability in the Windows HTTP Protocol Stack presents a remote code execution (RCE) risk and could be “wormable”, Microsoft warns.

The vulnerability (tracked as CVE-2022-21907) stems from flaws in http.sys, a component of Windows that processes HTTP requests. Microsoft issued a patch to defend against the vulnerability yesterday (January 12) as part of the January edition of its regular, monthly Patch Tuesday updates.

Satnam Narang, staff research engineer at Tenable, commented: “To exploit this vulnerability, a remote, unauthenticated attacker could send a specially crafted request to a vulnerable server using the HTTP Protocol Stack.

“Microsoft warns that this vulnerability is wormable, meaning no human interaction would be required for an attack to spread from system to system.”

Danny Kim, principal architect at Virsec, added: “CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds. Microsoft has stated that this vulnerability is ‘wormable’ and should be patched immediately.”

blog post by the SANS Institute’s Internet Storm Center explains that the problem arises from coding flaws in the HTTP trailers feature.

The HTTP trailer support feature allows a sender to include additional fields in a message, a feature it turns out can be manipulated through a specially crafted message to run attacks.

Other flaws

The first Patch Tuesday in 2022 includes remediation for 126 CVEs, nine of which are rated critical.

The batch includes patches for three RCE vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855).

One of these flaws, CVE-2022-21846, was reported to Microsoft by the US National Security Agency

Although the flaw is not exploitable across the internet, and requires the victim and the attacker to share the same network, “an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server,” a blog post by Trend Micro’s Zero Day Initiative warns.

The patch batch also includes an update for the open source cURL software, including a fix for an RCE vulnerability (CVE-2021-22947) that was originally disclosed last September.

Source: https://portswigger.net/daily-swig/patch-tuesday-web-security-issues-in-the-spotlight-in-microsofts-bumper-january-update

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO