Microsoft Patch Tuesday for Jan. 2022 — Snort rules and prominent vulnerabilities


By Jon Munshaw and Vitor Ventura. 

Microsoft released its monthly security update Tuesday, disclosing 102 vulnerabilities across its large collection of hardware and software. This is the largest amount of vulnerabilities Microsoft has disclosed in a monthly security update in eight months, however, none of the issues have been exploited in the wild, according to Microsoft. 

2022’s first security update features nine critical vulnerabilities, with all but one of the remaining being considered “important.”

CVE-2022-21840 is one of the critical vulnerabilities, an issue in Microsoft Office that could allow an attacker to execute remote code on the targeted machine. CVE-2022-21841, CVE-2022-21837 and CVE-2022-21842 are also remote code execution vulnerabilities in the Office suite of products, though they are only rated as “important.” These four vulnerabilities are particularly of note, though, because they can be triggered by the target opening a specially crafted document, a favorite tactic of attackers. 

Microsoft Edge, the company’s web browser, contains three of its own remote code execution vulnerabilities: CVE-2022-21931, CVE-2022-21930 and CVE-2022-21929. Similar to the aforementioned Office vulnerabilities, these are easily triggerable vulnerabilities that attackers could use as initial vectors to spread malware.  

Another critical vulnerability worth mentioning is CVE-2022-21846 in Microsoft Exchange Server. Microsoft considers this vulnerability “more likely” to be exploited by adversaries. There are two other important Exchange Server vulnerabilities — CVE-2022-21969 and CVE-2022-21855 — that could allow an attacker to execute remote code on the targeted server. However, these cannot be exploited across the internet — meaning the attacker would need something specifically tied to the target, such as access to the physical shared network via a Bluetooth device or from within a secure administrative domain. 

Microsoft Exchange Server has been under fire for the past year for a series of zero-day vulnerabilities attackers were exploiting in the wild, including the Hafnium APT. We also spotted the Babuk ransomware exploiting the same set of vulnerabilities to target victims in November.  

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 58859, 58860, 58866 - 58869 and 58870 - 58875. 

0 Comments