Microsoft Patch Tuesday Includes Fix for Wormable Vulnerability
On Tuesday, January 11, Microsoft released fixes for nearly 120 security issues. Nine of the vulnerabilities are rated critical and six were previously disclosed. Microsoft has also noted that one of the flaws fixed this month is “wormable,” meaning it can spread without user interaction.
This is the second wormable vulnerability in http.sys in 12 months. CVE-2021-31166, patched last May, was never widely exploited and aside from some PoC exploit leading to denial of service, no actual remote code execution exploit was published. Exploit mitigation techniques in kernel mode drivers make exploitation difficult and may buy us some more time in this case as well. Little detail has been published so far about this vulnerability.
The combination of disclosure and the RCE flaw in the HTTP stack means attackers are going to be working to discover unpatched systems and exploit them. Don’t make it any easier by neglecting to apply the entire bundle of patches, including the updates for Chromium Edge.
The term “wormable” gains more visibility for quicker patching. The versions of Windows that have this feature enabled by default varies. More details on the ISC post below.
Read more in
ISC SANS: Microsoft Patch Tuesday - January 2022
KrebsOnSecurity: ‘Wormable’ Flaw Leads January 2022 Patch Tuesday
Bleeping Computer: Microsoft: New critical Windows HTTP vulnerability is wormable
Microsoft: Security Update Guide