Yesterday was the first Patch Tuesday of 2022, with more than 100 security bugs fixed.

We wrote up an overview of the updates, as we do every month, over on our sister site news.sophos.com: First Patch Tuesday of 2022 repairs 102 bugs.

One thing to remember about most RCE vulnerabilities is that if you can attack someone else’s computer from outside and instruct it to run a malicious program of your choice….

Where and how does the HTTP Protocol Stack get activated.

IIS itself runs as an HTTP listener on top of HTTP.sys.

As far as we can tell, the reason that this vulnerability isn’t present in earlier versions of Windows and Windows Server is that the bug was found in the code that deals with HTTP Trailers (these are like HTTP Headers, except that they are sent after the HTTP data instead of before it); HTTP Trailer support was only added after support for HTTP/2; and HTTP/2 support only arrived in the Windows 10 era.

If you are truly unable to patch right away, and if you know that you are not running (or at least do not intend to run) any web-based software that uses HTTP.sys, you can temporarily block HTTP.sys on your computer by setting the following registry entry:!

We installed Server 2022, enabled IIS, created a home page and verified from another computer that it worked.

LEARN MORE ABOUT THE JANUARY 2022 PATCH TUESDAY.

First Patch Tuesday of 2022 repairs 102 bugs.

As far as I can see, Windows 8.1 does have HTTP.sys (as listed above this driver was added in the Windows 7 era) but Windows 8.1 it doesn’t suffer from this particular vulnerability, which seems to have entered the codebase from Windows 10 onwards

so u mean to say if its Windows 10 or later need to have 2022 Tuesday Patch installed

There are Patch Tuesday updates for all supported versions of Windows