Microsoft urges Windows users to patch critical HTTP vulnerability
Microsoft has fixed a critical vulnerability which affects several versions of its operating system including Windows 11 and Windows Server 2022.
The security bug is an HTTP vulnerability which is tracked as CVE-2022-21907 and Microsoft warns it is wormable. The company has issued a fix for the flaw and says that users should prioritize installing it to secure their systems.
- Microsoft releases KB5009566 update to fix long-standing Windows 11 issue
- Microsoft reveals 'powerdir' macOS vulnerability that allows unauthorized user data access
- Microsoft acknowledges that the KB5008212 update breaks Outlook search in Windows 10
While not currently known to be actively exploited, the HTTP Protocol Stack Remote Code Execution vulnerability remains serious due to the attack complexity being given a rating of "Low". Analysis of the vulnerability shows that "an attacker can expect repeatable success against the vulnerable component" and that an attack can be carried out without user action.
Microsoft also says:
The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Details of the vulnerability have not been shared for obvious reasons, but there is a little more information to be found in the Microsoft Security Response Center. While there is a registry key that can be edited to protect some versions of Windows, the advice is to check for updates to make sure the patch is installed.