2022-01-12
Microsoft Patch Tuesday Includes Fix for Wormable Vulnerability
On Tuesday, January 11, Microsoft released fixes for nearly 120 security issues. Nine of the vulnerabilities are rated critical and six were previously disclosed. Microsoft has also noted that one of the flaws fixed this month is “wormable,” meaning it can spread without user interaction.
Editor's Note
This is the second wormable vulnerability in http.sys in 12 months. CVE-2021-31166, patched last May, was never widely exploited and aside from some PoC exploit leading to denial of service, no actual remote code execution exploit was published. Exploit mitigation techniques in kernel mode drivers make exploitation difficult and may buy us some more time in this case as well. Little detail has been published so far about this vulnerability.

Johannes Ullrich
The combination of disclosure and the RCE flaw in the HTTP stack means attackers are going to be working to discover unpatched systems and exploit them. Don’t make it any easier by neglecting to apply the entire bundle of patches, including the updates for Chromium Edge.

Lee Neely
The term “wormable” gains more visibility for quicker patching. The versions of Windows that have this feature enabled by default varies. More details on the ISC post below.

Jorge Orchilles
Read more in
ISC SANS: Microsoft Patch Tuesday - January 2022
KrebsOnSecurity: ‘Wormable’ Flaw Leads January 2022 Patch Tuesday
The Register: Microsoft starts 2022 with big bundle fixes for 96 security bugs in its software
ZDNet: Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed
Bleeping Computer: Microsoft: New critical Windows HTTP vulnerability is wormable
Microsoft: Security Update Guide