Patch Tuesday It’s not just Log4j you need to worry about this week. It’s the final Patch Tuesday of the year.
If you haven’t already installed these fixes, or started testing them ahead of deployment, now would be a good time before exploits are developed and deployed over the Christmas break. At least two of them – one in Windows AppX Installer and one in Chrome – are being exploited in the wild right now.
Let’s start with Microsoft, which put out a summary of its security updates here. All manner of products are affected, from the Windows kernel to PowerShell to Office to the beleaguered Print Spooler.
According to Dustin Childs at the Zero Day Initiative, 67 CVE-listed bugs, seven of which are considered critical, have been hopefully squashed by Redmond in its latest patch batch. And when you include the Chromium bugs fixed in Edge, the total hits 83, we’re told.
Here’s some of the more notable bugs, critical or otherwise:
Windows AppX Installer: (CVE-2021-43890) It seems this spoofing vulnerability can be exploited to trick someone into installing a malicious software package. Indeed, according to Microsoft, this can be used in phishing campaigns to produce message attachments that activate when opened. The flaw has been abused in the wild to spread the Emotet, aka Trickbot and Bazaloader, malware.
iSNS Server: (CVE-2021-43215) A critical remote-code execution vulnerability in Microsoft’s Internet Storage Name Service, which is not enabled by default but is typically turn on for managing iSCSI devices on a storage network. Sending a specially crafted request to the server, even as an unauthenticated user, can lead to code execution and system compromise.
Microsoft 4K Wireless Display Adapter: (CVE-2021-43899) A critical bug in this hardware gadget’s firmware can be exploited over the network by an unauthenticated miscreant to hijack it.
Microsoft Defender for IoT: (CVE-2021-42310) A critical remote-code execution flaw in this security product, prior to version 10.5.2, can be exploited over a network by a non-authenticated miscreant. Details are minimal though one assumes it’s possible to feed specially crafted data into this software to compromise it.
Microsoft Office app: (CVE-2021-43905) Again, Microsoft is cagey about this critical remote-code execution hole prior to versions 18.2110.13110.0 of its app, which is typically automatically updated anyway. It’s likely an attacker will require a victim to open a booby-trapped document to achieve code execution; viewing it in the preview pane isn’t enough.
Remote Desktop Client: (CVE-2021-43233) This network-based critical remote-code execution flaw requires the user to take some action, and also presumably exploitation involves getting a victim to connect to a malicious remote-desktop server, something the peeps at Tenable noted, too.
Visual Studio Code WSL Extension: (CVE-2021-43907) This critical remote-code execution hole can be exploited remotely with no user interaction required, and Microsoft is mum on the details. This sounds potentially awful for developers, so grab the update as soon as you can.
Windows Encrypting File System: (CVE-2021-43217) According to Microsoft, “an attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution.” Crucially, the encrypting filesystem doesn’t even have to be running to be vulnerable and exploitable. This is also a two-part patch, starting this month and completing in March 2022, which suggests this critical remote-code execution flaw, which doesn’t require authentication, is non-trivial.
“The initial deployment phase starts with the Windows updates released on December 14, 2021,” Microsoft noted. “The updates will enable packet-level privacy for EFS when the client initiates a connection, and the server will only allow connections with packet-level privacy.
“The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. Support for the AllowAllCliAuth registry key will be removed and servers will require packet-level privacy regardless of the registry key setting.”
On top of this, there is an elevation-of-privilege bug (CVE-2021-43893) in EFS that can be combined with the above to really cause some admin-level damage on a victim’s system.
And there are plenty more programming blunders. A remote-code execution flaw in SharePoint Server (CVE-2021-42309) that requires authentication to exploit. The following have exploit code available for them though aren’t being necessarily abused in the wild: NTFS Set Short Name elevation-of-privilege (CVE-2021-43240); Windows Installer elevation-of-privilege (CVE-2021-43883); Windows Mobile Device Management elevation-of-privilege (CVE-2021-43880); and Windows Print Spooler elevation-of-privilege (CVE-2021-41333).
And a shed load of other patches for Microsoft Defender for IoT, HEVC Video Extensions, Excel, Storage Spaces Controller, Visual Studio Code, Windows Common Log File System Driver, Windows Recovery Environment Agent, and more.
Meanwhile, Apple released macOS, iOS and iPadOS, tvOS, and watchOS security fixes on Monday.
On Tuesday, Adobe patched scores of bugs in 11 of its products, including code execution holes in Photoshop, Premier Pro, and After Effects on Windows and macOS, and a privilege-escalation vulnerability in Lightroom on Windows. Like the Apple flaws, none are said to be under active attack.
Finally, SAP issued 10 security notes. There are a bunch of serious bugs patched in SAP Commerce, localization for China, that appear to stem from flaws discovered in XStream, a Java library to serialize objects to XML and back.
There’s also what’s described as a “code injection vulnerability in SAP ABAP Server & ABAP Platform,” plus an SQL-injection hole in SAP Commerce, an XSS vuln in SAP Knowledge Warehouse, a command-injection flaw in SAP NetWeaver AS ABAP, and other security blunders in the enterprise IT giant’s code. ®