Microsoft fixes a bug in its January Patch Day release Microsoft claims to have found and fixed a critical bug affecting Windows 11 and Windows Server 2022. The error was detected in the HTTP protocol stack used to process HTTP requests through the Windows Internet Information Services web server.
So far, no malicious abuse of the bug has been detected in the wild, nor has there been proof of concept. However, Microsoft continues to urge everyone not to delay security patches as the bug is still quite strong. It allows unauthenticated attackers to remotely execute arbitrary code without much user interaction.
Danger to home users
To exploit it, a malicious actor would have to create and send a specially crafted packet to the Windows server using the vulnerable HTTP protocol stack. Lucky is that Windows Server 2019 and Windows 10 v. 1809 do not have interrupted HTTP trailer support enabled by default.
To explain the bug and how it works, Microsoft states that this registry key must be set on vulnerable operating systems for the bug to work:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
“EnableTrailerSupport”=dword:00000001
To protect vulnerable devices, simply disable the HTTP trailer support feature.
Microsoft has found that most businesses are probably safe because they rarely install the latest versions of Windows on their devices.
Home users, on the other hand, should be careful and apply the patch as soon as possible. It is recommended to have an up-to-date VPN and antivirus solution.
The vulnerability is tracked as CVE-2022-21907. Microsoft fixed it during Patch day this month, which fixed a total of six zero-days and nearly 100 different bugs.
Of these, Microsoft patched 41 elevations of privilege vulnerabilities, nine security feature bypass vulnerabilities, 29 remote code execution vulnerabilities, six information disclosure vulnerabilities, and nine denials of service vulnerabilities. The company also fixed three bugs related to identity theft.
