Patch Tuesday January 2022: Microsoft Pushes Updates for 29 Security and Non-Security Issues. Log4j Bug Hunt Continues.

Patch Tuesday January 2022 Roundup.

The Patch Tuesday January bout brings 29 security- and non-security-related updates, including four issues rated as “Important”. Meanwhile, the Log4J hunt continues, with Microsoft identifying (and patching) additional log4j-related vulnerabilities, all of them discovered weeks after the initial December disclosure. Most of the updates released by Microsoft revolved around the Chromium-based Edge browser, designed to resolve exploits such as Remote Code Execution and Elevation of Privileges.

Patch Tuesday January 2022 Roundup

Although not as galloping as December’s bout, Patch Tuesday January 2022 does have its own high notes. Microsoft’s Chromium-based browser received numerous improvements – 29, to be precise– including four patches for issues previously labeled as “Important”. The issues in question are CVE-2022-21970, CVE-22022-21930, CVE-2022-21931, and CVE-2022-21954. Microsoft’s list also contains an exploit labeled as “Moderate” – CVE-2022-21929. Apart from the patches included in the company’s monthly advisory, we should also expect patches, updates, and miscellaneous improvements for Adobe’s Acrobat Reader, Thunderbird, and Microsoft Exchange Server.

CVE-2022-21930 – Chromium-based RCE (Remote Code Execution)

A design flaw in an undisclosed Microsoft Edge component would allow a threat actor to remotely execute arbitrary code on the victim’s machine without privilege escalation. The issue was marked as solved. A security patch is available for download.

CVE-2022-21929 – Chromium-based RCE (Remote Code Execution)

Threat actors may leverage a design flaw in Microsoft Edge for the purpose of executing malicious code on the victim’s machine. CVE-2022-21929 has received an official fix at the beginning of January 2022.

CVE-2022-21931 – Chromium-based RCE (Remote Code Execution)

A flawed Edge component can be leveraged by a threat actor to execute arbitrary code on the victim’s machine. Microsoft noted that the attack surface is local-only. The threat actor does not require elevated privileges to execute the malicious package.

CVE-2022-21954 – Chromium-based Elevation of Privilege

A flaw discovered in one of Edge’s components may be leveraged by a threat actor to obtain higher privileges. The attack vector is network only. Microsoft marked the issue as resolved. A patch is available for download.

CVE-2022-21970 – Chromium-based Elevation of Privilege

A defective Chromium-based Microsoft Edge component may be leveraged by a threat actor to gain elevated privileges on the victim’s machine. The attack surface is local-only. Microsoft has already pushed a security patch to solve the issue.

Additional Cybersecurity Advice

Grabbing the latest security and non-security patches is but one of the steps you’ll need to take in order to secure your business infrastructure. For those of you who want to play it safe, here are some more actions you can take.

  • Automate your patching flow. Handling numerous licensed software can become challenging even for the aptest IT administrator. The best way to ensure that all your endpoints’ apps and software are up-to-speed, security-wise, you should find a way to automate your patching flow. Heimdal™ Patch & Asset Management can greatly enhance your patching game, allowing you to deliver 3rd party, Windows, proprietary, and Microsoft Optional Updates to any endpoint or server, regardless of their locations or time-zones.
  • First come, first served. Prioritize your patches – security patches should always be deployed before the optional ones.
  • Being the early bird. Deploy the security patches as soon as they become available. In traditional patching, the IT admin would’ve had to work out a seek-download-and-deploy schedule and stick by it. With automatic patching, this issue is a thing of the past.
  • Vulnerability scanning. Apart from deploying the latest security patches, you should also conduct your own vulnerability scanning to identify hidden flaws. From there, you can either download/request a patch from the software’s vendor or develop one yourself.


Patch Tuesday December 2022 was more about Microsoft’s Chromium-based browser than other issues.  Log4j’s legacy lives on and it would be some time until the issue’s sorted out. As always, stay safe, don’t click on dubious links, subscribe, and email me if you have any more questions.

Additional resources:

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Concept photo of DNS security by Heimdal

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

All you need to find out about DNS security. Ways to secure your company-owned DNS server.
what is patch management

Patch Management Explained. What It Is, Best Practices and Benefits

All You Need to Know about Patch Management. And Why Automated Patch Management Will Simplify Your Sysadmins’ Life.  
What type(s) of two-factor authentication do you use when logging into your accounts?

Heimdal™ Threat Hunting Journal: January E.O.M Edition

Top Malware(s) Detection: 1st of January – 31st of January

Heimdal™ Security’s threat hunting journal continues to bring you the latest in threat detection and malware prevalence. Just in case you’ve missed it, last month’s uncrowned malware king was the trojan with over 28,000 positive detections, spread across six strains. Be sure to check out last month’s threat hunting edition for more info about your favourite malware strain and/or variant. Without further ado, here are the ‘goodies’ which came across our way in January.

Top Malware(s) Detection: 1st of January – 31st of January

As expected, king trojans still clutches to its ‘well-earned’ title – 10 strains, totaling a whopping 13,751 positive detections. Last month’s probing saw an increase in malware exploiting Java-side vulnerabilities (257,465 hits for JS/Redir.G13). Interestingly enough, the infamous JS/Redir.G13 has yet to bob up this month, instead of warming the seat for TR/Patched.Ren.Gen4, is a trojan notorious for its infectious and destructive capabilities.

Compared to the previous months (see the previous edition), the number of positive detections associated with Patched.Ren.Gen4 has gone down (19,181 during November – January 1st probing vs. 11,111 during January 1st – January 31st probing), but it did manage to claw its way up to the top of our hitlist. As far as distribution is concerned, we have a couple of new contenders (e.g. PUA/InstallCore.Gen – 443 positive detections, EXP/PyShellCode.A – 174 positive detections, WORM/Conficker.AK – 149 positive detections, etc.) as well as several old ‘acquaintances’ (e.g. TR/Dropper.Gen – 284 positive detections, W32/Floxif.hdc – 452 positive detections, and ACAD/Bursted.AN with 741 positive hits).

For the purpose – or sake! – of concision, we’ll only be covering the newly-detection malware. The complete list of IDed threats can be found below. Enjoy!

TR/Patched.Ren.Gen4 11111
W32/Chir.B 4689
EXP/CVE-2006-3649 2324
EXP/CVE-2010-2568.A 1723
ACAD/Bursted.AN 741
TR/Dropper.MSIL.Gen 519
TR/Crypt.XPACK.Gen 464
W32/Floxif.hdc 452
PUA/InstallCore.Gen 443
TR/AutoIt.CI.14 441
SPR/KeyFind.A 429
W32/Ramnit.C 352
TR/Dropper.Gen 284
TR/Downloader.Gen 262
W32/Sality.Patched 223
TR/AD.Macoute.bbi 215
TR/Patched.Ren.Gen 201
W32/Run.Ramnit.C 194
ADWARE/JsPopunder.G 194
EXP/PyShellCode.A 174
ADWARE/Adware.Gen2 157
WORM/Conficker.AK 149
W32/Virut.Gen 147
W32/Renamer.A 147
X97M/Agent.7450476 143
TR/Patched.Gen 136
DR/FakePic.Gen 133
VBS/Ramnit.abcd 123
ADWARE/BrowseFox.Gen4 119
TR/Patched.Ren.Gen7 118

Top Malware(s) Detailed

1. EXP/CVE-2006-3649

A buffer overflow defect present in apps, OS, and Microsoft products running obsolete VBS SDK versions allows the attacker to run arbitrary code on the victim’s machine.

2. TR/Dropper.MSIL.Gen

A software for cryptocurrency management (i.e. wallet) with trojan-like capabilities. Its purpose is to silently install a backdoor on the victim’s machine – usually the Backdoor.Fynloski.C. This backdoor’s purpose is to turn off UAC notifications and invalidate the EnableLUA function under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\ System.

3. PUA/InstallCore.Gen

A PUA-class (i.e., Potentially Unwanted Application) malware whose purpose is to write itself in the Windows Temp file and silently connect to malicious websites to download malware binaries and other files.

4. TR/AutoIt.CI.14

A trojan affecting Windows-running endpoints, capable of rewriting svchost.exe and all registries associated with Shell, DisableRegistryTools, AtTaaskMaxHour, and Msn Messenger.

5. SPR/KeyFind.A

PUP (Potentially Unwanted Program) is used to potentially install backdoors, connect to malicious URLs to download additional malicious components or perform spyware-type functions.

6. W32/Ramnit.C

A W32/Runmni.C variant. Please see the previous article for additional information on this trojan.

7. TR/Downloader.Gen

A trojan download or similar. The threat may have self-installation capabilities (ie., downloads silently in the background and waits for a reboot to establish connection to Command & Control server).

8. TR/AD.Macoute.bbi

Similar to AD.Macoute.edpwe – a trojanized worm capable of eavesdropping, process spawning, and Win registry modification.

9. ADWARE/JsPopunder.G

An adware-type threat that leverages specially crafted JavaScript packages that display additional pop-ups under legitimate ads.

10. EXP/PyShellCode.A

A shellcode-type threat that allows the threat actor to execute malicious code on the victim’s machine. It can also be used to install backdoors, spyware, or unpack ransomware components.

11. WORM/Conficker.AK

Conficker worm variant. Uses network sharing, Windows AutoPlay, and unpatched vulnerabilities to propagate. The Conficker worm is preponderantly used by threat actors for DoS, data leaking, and ops disruption.

12. W32/Virut.Gen

A polymorphic virus from the Virut family. Its capabilities include advanced obfuscation (EPO), memory lodging, and file infection for persistence and self-replication purposes.

13. W32/Renamer.A

A virus with worm-like capabilities. Renamer.A’s forte is renaming legitimate Windows files, hiding them in other folders, and taking the place of said legitimate files.

14. X97M/Agent.7450476

Also known as Mailcab. A, X97M is a macro virus designed to infect and spread through .xls documents. It also displays worm-like features – by taping into Outlook’s database, it can send itself to other email addresses.

15. TR/Patched.Gen

A variant of TR/Patched.Ren.Gen. Please see the previous article for additional information.

16. DR/FakePic.Gen

Dropper-type malware designed to unpack malware or components onto the victim’s machine.

17. ADWARE/BrowseFox.Gen4

The fourth generation of the BrowseFox adware, a PUP designed to display potentially malicious ads and popups on the victim’s machine.

18. TR/Patched.Ren.Gen7

A trojan from the Patched.Ren. family capable of auto-execution on reboot, system disruption, and/or destruction. It can also ramp up resource consumption, alter system files, download adware/spyware or install backdoors.

Additional Cybersecurity Advice & Parting Thoughts

This about wraps it up with our threat hunting journal. As I’ve said in the intro, this month was a smorgasbord of malware – some old, some new, one more dangerous than the next. Before we conclude, Heimdal would like to share with you some cybersecurity tips on how to keep your assets and endpoints safe from malware. Enjoy and don’t forget to subscribe!

  1. Disable macros. Newer versions of Microsoft Excel or Word have macros disabled by default. However, if you’re running an older version, please ensure that the auto-run macro feature is disabled. To do that, click on File, select Option, and then Trust Center. Look for the Macros Setting tab under Trust Center Settings and click on “Disable all Macros”.
  2. Keep tabs on resource consumption. It would be a good idea to always keep an eye on your machine’s resource consumption rate. Using Task Manager’s performance gauge is okay, but there are far better tools out there – Rainmeter, FreeMeter, Process Explorer, TinyResMeter. Give them a try.
  3. Update your AV. Don’t dismiss those AV update prompts as soon as they hit your screen. They could very well be a difference between a squeaky-clean PC and a non-responsive brick. Deploy those updates as soon as they become available. Don’t forget that AV should do more than wipe viruses. Heimdal’s Next-Gen Endpoint Antivirus can detect and break brute-force attempts, lock your USB ports, remote wipe/lock your machine, and terminate any type of malicious encryption attempt when used together with Ransomware Encryption Protection.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Dark Herring malware cover picture

Dark Herring Malware on the Hunt for 105M Android Devices

Compromised Android Apps that Steal Your Money!

Chaes Banking Trojan Wreaks Havoc Online

The Malware Is Apparently Making Use of Malicious Chrome Extensions.
what is eradication in cybersecurity - concept image

What is Eradication in Cybersecurity? An Essential Part Of Incident Response Plans

Any Organization Can Become the Victim of a Cyberattack. Incident Response Plans Tell You How to Deal With Them. Learn More!