Today’s VERT Alert addresses Microsoft’s January 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-981 on Wednesday, January 12th.

In-The-Wild & Disclosed CVEs

CVE-2022-21919

This vulnerability was a bypass to CVE-2021-34484, released by the same researcher, Abdelhamid Naceri. The researcher first tweeted about the bypass on October 22 and shared a blog post with details and links to a proof of concept. According to Naceri, the initial fix only removed CDirectoryRemove based on the original proof of concept that was provided, it did not resolve the underlying issue, which has been fixed with today’s update.

Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.

CVE-2021-36976

This vulnerability describes an issue in the libarchive library which is used by Windows. The vulnerability was found by OSS-Fuzz in March 2021 and disclosed in June 2021. The libarchive library was updated in August 2021 and Microsoft is now issuing an update in January 2022. Details around the OSS-Fuzz reported issue can be found here.

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE-2022-21836

This vulnerability was first disclosed in a blog post from Eclypsium on September 23, 2021. Expired and revoked certificates could be used to bypass binary verification in the Windows Platform Binary Table (WPBT). According to Microsoft, “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration.” This patch and advisory do two things. First, the patch adds compromised certificates to the Windows kernel driver block list (driver.stl) to block the compromised signing certificates. Second, the advisory also advises that people setup Windows Defender Application Control (WDAC) (Read more...)