Microsoft fixes critical remote code execution vulnerability in Office and other 96 flaws in its January patch

At the beginning of 2021, Microsoft issued security updates for almost 100 vulnerabilities, among which 9 bugs considered critical stand out. System updates will fix all errors currently identified in Microsoft.

Among these flaws, CVE-2022-21839 stands out, a denial of service (DoS) issue in the Windows event-tracking discretionary access control list; in addition to a privilege escalation flaw in the Windows User Profile service identified as CVE-2022-21919; and a Windows certificate forgery vulnerability with CVSS key CVE-2022-21836. These flaws have medium scores according to the Common Vulnerability Scoring System (CVSS).

Three more bugs were also publicly disclosed, including a remote code execution (RCE) bug in the Windows Security Center API (CVE-2022-21874), libarchive (CVE-2021-36976), and open source curl (CVE-2021-22947).

In addition to these flaws, Microsoft addressed CVE-2022-21840, a critical bug whose exploitation requires a user to open a specially crafted file. In an attack scenario, a threat actor could exploit the vulnerability by sending the specially crafted file to the user, thereby releasing the malicious payload.

This flaw received a CVSS score of 7.7/10.

Cybersecurity specialists mention that this is the largest security update issued by Microsoft since at least July 2021. The company recommends affected users to apply these security patches as soon as possible. In addition to software updates, Microsoft recommends users apply some additional security measures, as exploiting these flaws does not pose a challenge to threat actors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.