The New Year gets off to a busy start for Microsoft with the first security patch updates resolving over 100 vulnerabilities including six zero-days and one critical flaw identified as wormable.

A wormable vulnerability can be exploited with no human intervention allowing malware to move from one computer to another across your network.  This flaw is in the HTTP Protocol Stack (http.sys) and affects desktop versions of Windows 10 and Windows 11 along with the latest versions of Server 2022 and Server 2019.  Tracked as CVE-2022-21907 with a Critical CVSS score of 9.8, Microsoft identifies that when exploited an attacker could achieve remote code execution and: ‘recommends prioritizing the patching of affected servers.’  The vulnerability lies in the handler for HTTP trailers (which are used to delay the sending of headers until the end of a message) and this feature is enabled by default in all the most recent versions of Windows desktop and Server.

The six zero day vulnerabilities fixed this month are:

• CVE-2022-21919– Windows User Profile Service Elevation of Privilege Vulnerability
• CVE-2022-21836– Windows Certificate Spoofing Vulnerability
• CVE-2022-21839– Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
• CVE-2022-21874– Windows Security Center API Remote Code Execution Vulnerability
• CVE-2021-22947– Open Source Curl Remote Code Execution Vulnerability
• CVE-2021-36976– Libarchive Remote Code Execution Vulnerability

Microsoft defines a zero day vulnerability as one where the vulnerability has been actively exploited or it has been publicly disclosed while an official fix is not available.