در این بروزرسانی مایکروسافت 97 آسیب پذیری (بدون احتساب 29 آسیب پذیری Microsoft Edge) 9 موردآسیب پذیری به عنوان بحرانی و 88 مورد به عنوان مهم برطرف کرده است.
تعداد هر نوع آسیب پذیری شامل:
• 41 آسیب پذیری Elevation of Privilege
• 9 آسیب پذیری Security Feature Bypass
• 29 آسیب پذیری Remote Code Execution
• 6 آسیب پذیری Information Disclosure
• 9 آسیب پذیری Denial of Service
• 3 آسیب پذیری Spoofing
شش آسیب پذیری Zero-day برطرف شد، که هیچ کدام از آنها به طور فعال مورد سوء استفاده قرار نگرفتند.
بروزرسانی سه شنبه این ماه شامل اصلاحاتی برای رفع شش آسیبپذیری روز صفر است که به طور عمومی فاش شدهاند. خبر خوب این است که هیچ یک از آنها به طور فعال در حملات مورد سوء استفاده قرار نگرفته اند.
مایکروسافت آسیب پذیری هایی را که به صورت عمومی افشا می شود و به صورت فعال مورد سوء استفاده قرار می گیرد و هیچ بروزرسانی امنیتی برای آن منتشر نشده در دسته Zero-day طبقه بندی می کند.
مایکروسافت همچنین آسیبپذیری های روز صفر دیگرکه بهصورت عمومی فاش شده به عنوان بخشی از بروزرسانی سه شنبه دسامبر 2021 را برطرف کرد:
• آسیب پذیری CVE-2021-22947 – Open Source Curl Remote Code Execution
• آسیب پذیری CVE-2021-36976 – Libarchive Remote Code Execution
• آسیب پذیری CVE-2022-21919 – Windows User Profile Service Elevation of Privilege
• آسیب پذیری CVE-2022-21836 – Windows Certificate Spoofing
• آسیب پذیری CVE-2022-21839 – Windows Event Tracing Discretionary Access Control List Denial of Service
• آسیب پذیری CVE-2022-21874 – Windows Security Center API Remote Code Execution
هر دو آسیبپذیری Curl و Libarchive قبلاً رفع شده بود، اما تا امروز این اصلاحات به ویندوز اضافه نشده بود.
بروز رسانی های اخیر از سایر شرکت ها: سایر شرکت هایی که در ماه ژانویه بروزرسانی هایی را منتشر کردند عبارتند از:
• بروز رسانی های ژانویه Adobe امروز منتشر شد.
• بروزرسانیهای امنیتی دسامبر اندروید هفته گذشته منتشر شد.
• سیسکو در این ماه بروزرسانیهای امنیتی را برای محصولات متعددی از جمله Cisco Prime Infrastructure و Cisco Common Services Platform Collector منتشر کرد.
• SAP بروز رسانی های امنیتی ژانویه 2022 خود را منتشر کرد.
بروزرسانیهای امنیتی سهشنبه ژانویه 2022
لیست کامل این بروز رسانی ها در جدول زیر قابل مشاهده می باشد:
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET Framework | CVE-2022-21911 | .NET Framework Denial of Service Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-21932 | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2022-21891 | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2022-0105 | Chromium: CVE-2022-0105 Use after free in PDF | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0102 | Chromium: CVE-2022-0102 Type Confusion in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0104 | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0101 | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0103 | Chromium: CVE-2022-0103 Use after free in SwiftShader | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0109 | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0110 | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0108 | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0106 | Chromium: CVE-2022-0106 Use after free in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0107 | Chromium: CVE-2022-0107 Use after free in File Manager API | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-21954 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2022-21970 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2022-21931 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2022-21929 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2022-21930 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2022-0099 | Chromium: CVE-2022-0099 Use after free in Sign-in | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0100 | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0098 | Chromium: CVE-2022-0098 Use after free in Screen Capture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0096 | Chromium: CVE-2022-0096 Use after free in Storage | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0097 | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0116 | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0117 | Chromium: CVE-2022-0117 Policy bypass in Service Workers | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0115 | Chromium: CVE-2022-0115 Uninitialized Use in File API | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0113 | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0114 | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0118 | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0111 | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0112 | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2022-0120 | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | Unknown |
| Microsoft Exchange Server | CVE-2022-21969 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Microsoft Exchange Server | CVE-2022-21846 | Microsoft Exchange Server Remote Code Execution Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2022-21855 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2022-21904 | Windows GDI Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2022-21903 | Windows GDI Elevation of Privilege Vulnerability | Important |
| Microsoft Graphics Component | CVE-2022-21915 | Windows GDI+ Information Disclosure Vulnerability | Important |
| Microsoft Graphics Component | CVE-2022-21880 | Windows GDI+ Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2022-21840 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2022-21841 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2022-21837 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2022-21842 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2022-21917 | HEVC Video Extensions Remote Code Execution Vulnerability | Critical |
| Open Source Software | CVE-2021-22947 | Open Source Curl Remote Code Execution Vulnerability | Critical |
| Role: Windows Hyper-V | CVE-2022-21901 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2022-21900 | Windows Hyper-V Security Feature Bypass Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2022-21905 | Windows Hyper-V Security Feature Bypass Vulnerability | Important |
| Role: Windows Hyper-V | CVE-2022-21847 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Tablet Windows User Interface | CVE-2022-21870 | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | Important |
| Windows Account Control | CVE-2022-21859 | Windows Accounts Control Elevation of Privilege Vulnerability | Important |
| Windows Active Directory | CVE-2022-21857 | Active Directory Domain Services Elevation of Privilege Vulnerability | Critical |
| Windows AppContracts API Server | CVE-2022-21860 | Windows AppContracts API Server Elevation of Privilege Vulnerability | Important |
| Windows Application Model | CVE-2022-21862 | Windows Application Model Core API Elevation of Privilege Vulnerability | Important |
| Windows BackupKey Remote Protocol | CVE-2022-21925 | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | Important |
| Windows Bind Filter Driver | CVE-2022-21858 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Certificates | CVE-2022-21836 | Windows Certificate Spoofing Vulnerability | Important |
| Windows Cleanup Manager | CVE-2022-21838 | Windows Cleanup Manager Elevation of Privilege Vulnerability | Important |
| Windows Clipboard User Service | CVE-2022-21869 | Clipboard User Service Elevation of Privilege Vulnerability | Important |
| Windows Cluster Port Driver | CVE-2022-21910 | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2022-21897 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2022-21916 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Connected Devices Platform Service | CVE-2022-21865 | Connected Devices Platform Service Elevation of Privilege Vulnerability | Important |
| Windows Cryptographic Services | CVE-2022-21835 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Important |
| Windows Defender | CVE-2022-21921 | Windows Defender Credential Guard Security Feature Bypass Vulnerability | Important |
| Windows Defender | CVE-2022-21906 | Windows Defender Application Control Security Feature Bypass Vulnerability | Important |
| Windows Devices Human Interface | CVE-2022-21868 | Windows Devices Human Interface Elevation of Privilege Vulnerability | Important |
| Windows Diagnostic Hub | CVE-2022-21871 | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | Important |
| Windows DirectX | CVE-2022-21898 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical |
| Windows DirectX | CVE-2022-21918 | DirectX Graphics Kernel File Denial of Service Vulnerability | Important |
| Windows DirectX | CVE-2022-21912 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical |
| Windows DWM Core Library | CVE-2022-21852 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows DWM Core Library | CVE-2022-21902 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows DWM Core Library | CVE-2022-21896 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows Event Tracing | CVE-2022-21872 | Windows Event Tracing Elevation of Privilege Vulnerability | Important |
| Windows Event Tracing | CVE-2022-21839 | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | Important |
| Windows Geolocation Service | CVE-2022-21878 | Windows Geolocation Service Remote Code Execution Vulnerability | Important |
| Windows HTTP Protocol Stack | CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability | Critical |
| Windows IKE Extension | CVE-2022-21843 | Windows IKE Extension Denial of Service Vulnerability | Important |
| Windows IKE Extension | CVE-2022-21890 | Windows IKE Extension Denial of Service Vulnerability | Important |
| Windows IKE Extension | CVE-2022-21883 | Windows IKE Extension Denial of Service Vulnerability | Important |
| Windows IKE Extension | CVE-2022-21889 | Windows IKE Extension Denial of Service Vulnerability | Important |
| Windows IKE Extension | CVE-2022-21848 | Windows IKE Extension Denial of Service Vulnerability | Important |
| Windows IKE Extension | CVE-2022-21849 | Windows IKE Extension Remote Code Execution Vulnerability | Important |
| Windows Installer | CVE-2022-21908 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Kerberos | CVE-2022-21920 | Windows Kerberos Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2022-21881 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2022-21879 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Libarchive | CVE-2021-36976 | Libarchive Remote Code Execution Vulnerability | Important |
| Windows Local Security Authority | CVE-2022-21913 | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | Important |
| Windows Local Security Authority Subsystem Service | CVE-2022-21884 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important |
| Windows Modern Execution Server | CVE-2022-21888 | Windows Modern Execution Server Remote Code Execution Vulnerability | Important |
| Windows Push Notifications | CVE-2022-21867 | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | Important |
| Windows RDP | CVE-2022-21851 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| Windows RDP | CVE-2022-21850 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| Windows RDP | CVE-2022-21893 | Remote Desktop Protocol Remote Code Execution Vulnerability | Important |
| Windows Remote Access Connection Manager | CVE-2022-21914 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important |
| Windows Remote Access Connection Manager | CVE-2022-21885 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important |
| Windows Remote Desktop | CVE-2022-21964 | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | Important |
| Windows Remote Procedure Call Runtime | CVE-2022-21922 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21961 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21959 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21958 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21960 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21963 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21892 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21962 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2022-21928 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Secure Boot | CVE-2022-21894 | Secure Boot Security Feature Bypass Vulnerability | Important |
| Windows Security Center | CVE-2022-21874 | Windows Security Center API Remote Code Execution Vulnerability | Important |
| Windows StateRepository API | CVE-2022-21863 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | Important |
| Windows Storage | CVE-2022-21875 | Windows Storage Elevation of Privilege Vulnerability | Important |
| Windows Storage Spaces Controller | CVE-2022-21877 | Storage Spaces Controller Information Disclosure Vulnerability | Important |
| Windows System Launcher | CVE-2022-21866 | Windows System Launcher Elevation of Privilege Vulnerability | Important |
| Windows Task Flow Data Engine | CVE-2022-21861 | Task Flow Data Engine Elevation of Privilege Vulnerability | Important |
| Windows Tile Data Repository | CVE-2022-21873 | Tile Data Repository Elevation of Privilege Vulnerability | Important |
| Windows UEFI | CVE-2022-21899 | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | Important |
| Windows UI Immersive Server | CVE-2022-21864 | Windows UI Immersive Server API Elevation of Privilege Vulnerability | Important |
| Windows User Profile Service | CVE-2022-21895 | Windows User Profile Service Elevation of Privilege Vulnerability | Important |
| Windows User Profile Service | CVE-2022-21919 | Windows User Profile Service Elevation of Privilege Vulnerability | Important |
| Windows User-mode Driver Framework | CVE-2022-21834 | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | Important |
| Windows Virtual Machine IDE Drive | CVE-2022-21833 | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | Critical |
| Windows Win32K | CVE-2022-21882 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2022-21876 | Win32k Information Disclosure Vulnerability | Important |
| Windows Win32K | CVE-2022-21887 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Workstation Service Remote Protocol | CVE-2022-21924 | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | Important |
منبع:
https://www.bleepingcomputer.com
