Post-Patch Tuesday Roundup: December 2021
Patch Roundup – January 2022
Welcome to the first Patch Roundup blog of 2022, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.
We’re starting off this month’s blog with some information about the Cyber Essentials cyber security framework, focusing on one control particularly relevant to this blog which has changed in the newly revised definition.
Cyber Essentials, operated by the IASME consortium, is a set of baseline security controls designed to be a basic entry into the world of cyber compliance. It’s a mandatory requirement for many government-related contractors but is also more widely viewed as a means to demonstrate good cyber security posture for small and medium businesses of any kind.
For many years the framework specified that Critical and High-rated updates should be installed within 30 days, and this was broadly in line with the generally accepted thinking when the framework was created in 2014. However, times have inevitably moved forward and the importance of prompt patching has become ever clearer, and the framework has been updated to reflect this.
As of January 2022, companies certifying to Cyber Essentials and Cyber Essentials Plus will need to demonstrate that Critical and High updates are being installed within 14 days. This stricter deadline has been widely viewed as the unofficial standard for some years, but CE is the first common framework to recognise it as a mandatory requirement included in the tests.
More information on this and other changes to the framework can be found on IASME’s website.
Microsoft Patch Tuesday
Microsoft kick off the year with a mammoth update release covering 96 new bugs on Patch Tuesday itself and 24 Chromium-specific vulnerabilities released earlier in the month. Nine of these are rated as Critical and one is known to be wormable, making it of extra concern.
Most notable is CVE-2022-21907, the aforementioned wormable bug in the HTTP protocol stack. This bug carries a CVSS score of 9.8, only failing to hit a maximum score because, at present, no known exploit code hs been seen in the wild. This bug affects all supported versions of Windows and is present when the web server feature has been enabled. This is unlikely to happen on the desktop versions of Windows, though is certainly not impossible, but also means an increased likelihood that servers running the feature may be internet-facing and therefore more exposed to the inevitable exploits that will follow. Being wormable, the flaw would allow a successful attack to make its way across an internal network without further interaction.
CVE-2022-21840 is also noteworthy, being a remote code execution (RCE) vulnerability in Office that affects both Windows and Mac versions as well as the baked-in SharePoint document handling. Opening a crafted Office document delivered via a phishing attack, or by downloading the file from a website hosting it, allows the attacker to run arbitrary code on the target machine and gain a foothold. At present there are no Mac-specific updates to patch the issue, though Microsoft have indicated these will be released shortly.
Adobe also released a substantial update for a number of products, notably 22 fixes for vulnerabilities in Acrobat and Reader, their most widely used products. The use of malicious PDF’s in phishing is well known and many of these bugs are rated Critical, making it vital to push out updates to Acrobat and Reader promptly. Also available are patches for Illustrator, Bridge, InCopy and InDesign that include some Critical updates.
In response to December 2021’s log4j vulnerability, VMware have been releasing updates for various products to address the issue. Most notable is the advisory VMSA-2021-0028.8, last updated in early January, which addresses a large number of tools and platform including Horizon, vCenter Server, NSX, vRealize and a number of others. Platform admins will want to review the list carefully and roll up the updates promptly.