HealthcareCISO

Microsoft released its January 2022 security updates, containing dozens of vulnerability patches, some of which were rated as “critical” and could lead to cyberattacks if not patched immediately.

One vulnerability, CVE-2022-21907, involves a remote code execution (RCE) flaw in the HTTP Protocol Stack. The vulnerability may be enabled in Windows server 2022, 20H2 core, and various Windows 10 and Windows 11 versions. The http.sys vulnerability is “wormable,” meaning that it does not require human interaction to spread its attack surface to another vulnerable Windows server.

“In Windows Server 2019 and Windows 10 version 1809, the HTTP...