Patch Tuesday As the US season of giving thanks and turkey carnage approaches, let us reflect upon Microsoft’s November Patch Tuesday, which has bestowed 55 CVEs and the promise of continued employment for the IT admins who have to clean up the recurring mess of software.
Only six of the vulnerabilities are considered “Critical,” the rest are just “Important.”
Affected applications include: 3D Viewer, Azure (including RTOS and Sphere), Dynamics, Edge, Exchange Server, Office, Power BI, Role: Windows Hyper-V, Visual Studio, Visual Studio Code, and multiple Windows components (including the Codecs Library).
It is a meager harvest compared to the 71 flaws flagged in October but more bountiful than the mere 44 vulnerabilities spotted in August.
Nonetheless, Microsoft watchers have concerns. “Historically speaking, 55 patches in November is a relatively low number,” mused Zero-Day Initiative’s Dustin Childs in a review of the bundle. “Last year, there were more than double this number of CVEs fixed.”
Childs wonders whether there’s a backlog of unreleased patches, given that the industry trend is toward more patches. A December deluge, perhaps? Tune in next month.
Four of the November bugs have already been publicly disclosed: 3D Viewer Remote Code Execution Vulnerabilities (CVE-2021-43209 and CVE-2021-43208); Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerabilities (CVE-2021-41371 and CVE-2021-38631).
Two are actively being exploited: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-42321) and Microsoft Excel Security Feature Bypass Vulnerability (CVE-2021-42292).
Childs notes that while the Exchange flaw requires authentication, it should still be dealt with promptly.
And you may not have a choice if you work for Uncle Sam. “If you are a federal or government body in the US, you may also be bound by the recent CISA directive 22-01 that puts an emphasis on faster patching of exploits that are actively being used by attackers,” said Kev Breen, director of cyber Threat research at Immersive Labs in an email to The Register. “This vulnerability – along with CVE-2021-42292 – would likely fall into that category.”
Microsoft has published further details for admins addressing the flaw.
As for the Excel security bypass, it’s a bug that allows remote code execution if the victim opens a maliciously crafted file. Microsoft’s patch fixes it, but not for macOS, said Childs.
The highest rated bug in terms of severity is an OpenSSL decryption buffer overflow (CVE-2021-3711) that affects Visual Studio Code. It’s a remote code execution flaw that gets a 9.8 out of 10.
On a related note, Microsoft has enhanced its reporting by expanding its use of the Common Vulnerability Scoring System (CVSS) to describe all disclosed flaws.
“The Microsoft Security Response Center has been scoring Windows and Browser vulnerabilities since 2016,” the Windows giant explained in an online post. “Now we are scoring every vulnerability and displaying the details that make up that score in the new version of the Security Update Guide.”
Enterprise biz SAP also had a slow patch day with only eight new and three revised fixes.
In a blog post, Onapsis security researcher Thomas Fritsch said the only flaw to qualify as “HotNews” – SAP’s euphemism for “Critical” – is Security Note #3099776, which gets a CVSS score of 9.6. It’s a privilege escalation flaw that affects the SAP ABAP (Advanced Business Application Programming) runtime environment Platform Kernel.
“The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems,” explains Fritsch. “SAP optimistically labeled the CVSS vector of the vulnerability as low impact on availability despite the fact that a business user ‘… is able to read and modify data…’ Due to the criticality and the impact on systems beyond the vulnerable system, we strongly recommend applying the corresponding kernel patch.”
Adobe, after publishing 14 security bulletins covering 92 CVEs two weeks ago, appears to be spent and could only muster the energy to push out three bulletins – for RoboHelp Server, InCopy, and Creative Cloud, covering four CVEs.
RoboHelp Server for Windows is affected by a critical arbitrary code execution flaw; InCopy for Windows and macOS is affected by a critical arbitrary code execution flaw and a application denial of service bug; and the Creative Cloud Desktop Application for macOS is bedeviled by an application denial of service vulnerability.
At the beginning of the month, Google published patches for 39 CVEs affecting the Android Open Source Project and components from MediaTek and Qualcomm. One of these – CVE-2021-1048 – “may be under limited, targeted exploitation.” It’s a critical use-after-free flaw in the kernel. ®