Microsoft today released its final Patch Tuesday rollout of 2021 with 67 security fixes, one of which patched a zero-day vulnerability spreading Emotet malware and five of which are now publicly known but not yet exploited.
Today's fixes address bugs in several Microsoft products and services, including Windows, Azure Bot Framework SDK, Defender for IoT, Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Update Stack, ASP.NET Core and Visual Studio, and Windows Hyper-V.
It's worth noting that Microsoft also patched 16 CVEs in its Chromium-based Edge browser earlier this month. This ups its December patch total to 83 vulnerabilities and its yearly total to 887, which marks a 29% drop from 2020, notes Dustin Childs of Trend Micro's Zero-Day Initiative in a Dec. 14 blog post.
The flaw being actively exploited (CVE-2021-43890) is a spoofing bug in the AppX installer that affects Windows. Microsoft says it's aware of attacks "that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader." An attacker could create a malicious attachment to use in a phishing campaign and then convince a victim to open the attachment. Victims with fewer user rights may be less affected than those who operate with full admin rights.
Another vulnerability worth prioritizing is CVE-2021-43215, a remote code execution flaw in the Internet Storage Name Service (iSNS) that could allow an attacker to execute code if they send a specially crafted request to a vulnerable server. The iSNS is a client-server protocol that allows clients to query an iSNS database. This bug has low attack complexity, requires low privileges and no user interaction, and has a CVSS score of 8.8.
"As this protocol is used to facilitate data storage over the network, it would be a high-priority target for attackers looking to damage an organization's ability to recover from attacks like ransomware," says Kevin Breen, director of cyber threat research at Immersive Labs. "These services are also typically trusted from a network perspective — which is another reason attackers would choose this kind of target."
Breen also notes the flaw is critical to patch for those operating iSNS services, but this isn't a default component, so check before bumping it up the priority list.
CVE-2021-43883 is a publicly known elevation of privilege vulnerability in Windows Installer. It has a CVSS score of 7.1 and is considered "exploitation more likely" by Microsoft, with low attack complexity, low privileges, and no user interaction required. This flaw affects both server and desktop versions of Windows and could allow a local user to escalate their privileges.
The other publicly known vulnerabilities this month are all elevation of privilege flaws that exist in Windows Encrypting File System (CVE-2021-43893), NTFS Set Short Name (CVE-2021-43240), Windows Mobile Device Management (CVE-2021-43880), and Windows Print Spooler (CVE-2021-41333).
Microsoft Office RCE vulnerability CVE-2021-43905 stands out both for its high CVSS score of 9.6 and a classification of "exploitation more likely" from Microsoft. An attack would require low attack complexity and no privileges, though user interaction is required. Microsoft notes in its release that the Preview Pane is not an attack vector for this flaw, and the Microsoft Store will automatically update affected users. It does not specify how an attack for this might work or the immediate risk — which could make things tough for infosec teams, Breen notes.
"This can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available — especially when security teams are already tied down with other critical patching," he explains. And with many security pros tied up patching the recently disclosed Log4j vulnerability, this could certainly pose an issue for many practitioners.
Another standout in this month's roundup is the group of Microsoft Defender for IoT patches. One patch is categorized as critical; another nine are classified as important.