• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

Admins Have 122 Microsoft Bugs To Patch This Month

IT professionals should prioritize an HTTP Protocol Stack RCE flaw and multiple Exchange Server RCE vulnerabilities.

January 11, 2022 Zachary Comeau Leave a Comment

Microsoft January Patch Tuesday
wolterke/stock.adobe.com

Microsoft has released patches for nearly 100 vulnerabilities this Patch Tuesday, including three Exchange remote code execution bugs and an HTTP protocol stack remote code execution vulnerability.

Despite the unusually large amount of patches to start the year, none are listed as being actively exploited. However, six are listed as publicly known at the time of release.

In addition to those bugs, Microsoft patched 24 vulnerabilities in Microsoft Edge and two others fixed in open-source projects earlier this month, bringing the total amount of software flaws patched in January to 122.

Zero Day Initiative, the bug disclosure arm of Trend Micro, highlights several of the bugs patched in its monthly blog that comes on Patch Tuesday.

According to ZDI, nine of the bugs are rated critical and 89 are rated important. Here’s a look at some of this month’s vulnerabilities that admins are being urged to patch:

CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability

This bug comes with a CVSS score on 9.8, so it’s one to prioritize when patching. According to ZDI, this flaw could allow an attacker to gain remote code execution (RCE) on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack to process packets.

“No user interaction, no privileges required, and an elevated service add up to a wormable bug,” ZDI says in the blog. “And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.”

CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability

This Exchange RCE bug was reported by the National Security Agency, so it is another one to prioritize. It is one of three Exchange RCE flaws patched this month, but the only one marked critical, with a CVSS score of 9. ZDI notes that all three are listed as adjacent in the CVSS score, so an attacker would need to be tied to the target network. However, an insider or attacker with access to the target network can use these flaws to take over the server.

CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability

This vulnerability gets a CVSS score of 8.8 and is listed as critical, so it’s another to patch quickly. According to ZDI, the bug is likely listed as such due to a lack of warning dialogs when opening a specially crafted file, as most Office-related RCE bugs require user interaction. This bug also requires multiple patches to fix, so admins should make sure they apply all patches.

“Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products,” ZDI notes. “Let’s hope Microsoft makes these patches available soon.”

CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability

This bug, also rated critical, could allow an attacker to elevate privileges across an Active Directory trust boundary under certain conditions, ZDI says. An attacker would need some level of privileges, but an attacker already with access to a network could use this for lateral movement and other nefarious activities, ZDI notes.

Other Microsoft patches noted by ZDI fix other critical-rated patches that impact DirectX and HEVC video extensions that could allow attackers to execute code if a user views a specially crafted media file.

There are also more than 20 less severe bugs that could lead to remote code execution,  but many of them require physical access, ZDI notes.

For the complete list of patches, visit ZDI’s blog or Microsoft’s Security Update Guide.

Adobe Patches

According to ZDI, Adobe also released patches that address 41 vulnerabilities in Acrobat, Reader, Illustrator, Adobe Bride, InCopy and InDesign. A majority of these bugs (26) are in Acrobat and Reader, including a remote code execution flaw from a specially crafted PDF. Several of those bugs were recently demonstrated, so in-the-wild exploits are a possibility.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Microsoft, Patch management

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.