Microsoft And Adobe First Security Patch For 2022

Microsoft and Adobe Fixes
Microsoft and Adobe Fixes

Adobe released five patches for January 2022 that addressed 41 CVEs in Acrobat and Reader as well as Illustrator, Adobe Bridge, InCopy, and InDesign. ZDI identified 22 of these vulnerabilities.

Acrobat and Reader receive an update that fixes 26 bugs, the most severe of which could lead to remote code execution (RCE) if a specially crafted PDF is opened. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line.

An update to InCopy fixes three Critical-rated RCE vulnerabilities and one Important-rated privilege escalation vulnerability. InDesign’s patch fixes two Critical out-of-bounds (OOB) write bugs that could allow code execution along with a Moderate use-after-free privilege escalation. The Adobe Bridge update fixes six bugs, but only one OOB Write issue has been deemed critical.

Another issue involves privilege escalations and memory leaks. Finaly, Illustrator’s patch addresses two OOB Read bugs that can’t cause code execution.

As of the time of the release, Adobe’s bug fixes do not appear to be publicly known or under active attack.

CVE-2022-21907 – HTTP Protocol Stack Remote Code Execution Vulnerability

By using specially crafted packets to send to a system that is using the HTTP Protocol Stack (http.sys) to process packets, an attacker could gain code execution. A wormable bug requires no interaction from the user, no elevated privileges, and no interaction from the victim. Despite this being more server-specific, it should be noted that Windows clients can also run http.sys, so all versions of Windows are affected by this bug. Test and deploy the patch immediately.

CVE-2022-21846 – Microsoft Exchange Server Remote Code Execution Vulnerability

One more Exchange RCE bug, and one more Exchange bug found by National Security Agency. This month, three Exchange RCEs will be addressed, but the only one marked Critical is this one. In the CVSS score, all are listed as being network adjacent, so an attacker would have to be connected to the target network in some way. It is still possible for an insider or attacker with a foothold in the target network to exploit this vulnerability and take over the Exchange server.

CVE-2022-21840 – Microsoft Office Remote Code Execution Vulnerability

In most cases, Office-related RCE bugs have the Important severity since they require user interaction and sometimes have warning dialogs. This issue, however, is listed as Critical. The Preview Pane normally serves as an attack vector, but this is not the case here. Because there is no warning dialog when opening a specially crafted file, this is probably a Critical bug. Additionally, there are multiple patches for this bug, so make sure you apply them all. Unfortunately, there are no patches available for Office 2019 for Mac or Microsoft Office LTSC for Mac 2021. Hopefully, Microsoft will release these patches soon.

CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability

Under certain conditions, this patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary. Though privilege escalations generally rate a severity rating of Important, Microsoft determined that the flaw was significant enough for a Critical. A malicious insider or other attacker with a foothold in a network could use this to move lateral within an enterprise and maintain an identity.

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Previous Article
Chrome 97

Google Rolled Out New Chrome Version Bug Fixes

Next Article
Apple iOS update

Download Apple iOS 15.2.1 Fixes Homekit Security Vulnerabilities

Related Posts
Total
0
Share