Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
December 2021 Overview
General Overview - Eric Feldman
We are now in the final month of the year, and the last Patch Tuesday report for 2021. Let’s begin with a yearly recap.
From a vulnerability perspective, the year began with concerns that the count each month would continue to rise, and it certainly seemed that way up to April with its 108 total vulnerabilities. April also gave us the highest monthly number of critical vulnerabilities, topping out at a whopping 19!
While total and critical vulnerabilities dropped for two months, June then gave us our yearly high of six exploited vulnerabilities. And total vulnerabilities came roaring back with the yearly high of 116 in July, which also presented 12 critical vulnerabilities. Fortunately, that was the last time this year that we saw double-digit critical vulnerabilities, and triple-digit total vulnerabilities.
Vulnerabilities were evenly distributed across multiple Microsoft operating system components and applications. We could not find a specific component that had more than two or three vulnerabilities throughout the year. Type of vulnerability tells a different story. According to our informal count, Remote Code Execution Vulnerabilities were the most common type with about 66% of all reported critical vulnerabilities. Memory Corruption and Elevation of Privilege Vulnerabilities rounded out the top three with 8% and 6% respectively.
For 2021, there were 892 total Microsoft vulnerabilities, 101 critical, and 23 exploited. This represents monthly averages of 74.3, 8.4, and 1.9 respectively as can be seen in the table.
In December, Microsoft gave us 67 total vulnerabilities, and while that is an uptick over the previous month, it still represents 10% reduction off the monthly average. And December's number of critical vulnerabilities continues the downward trend that began in August, with 7, about 17% less than the monthly average. And good news going into the holiday season is that there is only one reported zero-day vulnerability.
Looking beyond Microsoft, we do have one urgent critical vulnerability to report. CVE-2021-44228 impacts Apache Log4j, a Java-based logging utility that is part of the Apache Logging Services project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. Known as “Log4Shell,” a zero-day unauthenticated Remote Code Execution (RCE) vulnerability, it scores a perfect 10.0 on Common Vulnerability Scoring System (CVSS), which is the maximum possible criticality for a vulnerability. You can find more information on how to remediate Log4j in our blog, entitled “Log4j Critical Vulnerability Scores a 10/10 For How Bad It Is (So Act Fast).”
As we reported last month, CISA and the FBI have issued an advisory about reducing the risk of cybercrime while your organization may be operating with reduced staffing during the holiday season. For more information, be sure to read our blog “Who’s Minding the Store? How to Protect Against Cybersecurity Threats This Holiday Season,” where we give you several best practices and recommendations to help protect your environment as you get ready for the holiday season.
While Automox typically recommends that all critical and exploited vulnerabilities are patched within a 72-hour window, we advise extra vigilance this month and through the rest of the year. We recommend that all critical and exploited vulnerabilities are patched immediately to reduce exposure leading into the holiday season.
It has been our pleasure to bring you this vital information throughout the year. On behalf of all the Patch Tuesday Experts who contribute to this blog, and the entire team here at Automox, we thank you so much for your support, and we look forward to working with you in 2022. Have a wonderful and safe holiday season and a prosperous and healthy New Year!
-Eric Feldman, Senior Product Marketing Manager
Critical Vulnerability Breakdown
Gina Geisel - CVE-2021-43907 - Visual Studio Code WSL Extension Remote Code Execution Vulnerability - Critical
CVE-2021-43907 is another critical remote code execution vulnerability impacting Visual Studio Code WSL Extension. The WSL extension allows you to use VS Code on Windows to build Linux applications that run on the Windows Subsystem for Linux (WSL) enabling you to achieve the productivity of Windows while developing with Linux-based tools, runtimes, and utilities.
We are waiting for additional details from Microsoft on how this vulnerability could be exploited by an attacker or how that code execution could occur. We do know it requires no user interaction and, therefore, encourage prioritization of this CVE and patch as soon as possible.
Aleks Haugom - CVE-2021-43905 - Microsoft Office app Remote Code Execution Vulnerability - Critical
CVE-2021-43905 is a critical remote code execution vulnerability impacting Microsoft Office. As a low complexity vulnerability, an attacker can expect repeated results. Although Microsoft has not disclosed exactly what user interaction is required for the attacker to succeed they have confirmed that the Preview Pane is not an attacker vector. Given that this threat can impact resources beyond the security scope managed by the security authority immediate remediation actions are advised.
Maarten Buis - CVE-2021-42310 - Microsoft Defender for IoT Remote Code Execution Vulnerability - Critical
Microsoft Defender for IoT is used for identifying IoT/OT devices, vulnerabilities, and threats. Earlier this year Microsoft already patched a remote Code Execution Vulnerability in their IoT security solution. This Patch Tuesday, Microsoft reported 10 CVEs for this product, of which 8 are remote code execution vulnerabilities, one elevation of privilege vulnerability, and one data disclosure vulnerability. Only CVE-2021-42310 is marketed as critical, with a CVSS:3.1 BaseScore of 8.1 and TemporalScore of 7.1. The other vulnerabilities are all marked as important. Updating to the latest Microsoft Defender for IoT version will prevent threat actors from exploiting any of these vulnerabilities.
Aleks Haugom - CVE-2021-43215 - iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution - Critical
CVE-2021-43215 is a critical server memory corruption vulnerability impacting the Internet Storage Name Service (iSNS) that could lead to remote code execution. This low complexity attack requires an attacker to send a specially crafted message to the iSNS and then issue malicious requests to it. A successful attack requires no user interaction and allows the attacker to execute arbitrary code. The iSNS manages a purpose-built server that provides a registration function to allow all entities in a storage network to register and query the iSNS database. Microsoft has classified this vulnerability as, “Exploitation More Likely.” Automox recommends patching this vulnerability within 24 hours (before EOD Wednesday 15, 2021).
Jay Goodman - CVE-2021-43217 - Windows Encrypting File System (EFS) Remote Code Execution Vulnerability - Critical
CVE-2021-43893 - Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability - High and Publicly Disclosed
Two vulnerabilities in the Windows Encrypting File System or EFS were disclosed this month. CVE-2021-43217 is a critical severity remote code execution vulnerability while CVE-2021-43893 is a high severity and publicly disclosed elevation of privilege vulnerability. While either of these vulnerabilities constitute impactful disclosures that need to be handled quickly, the combination of the two in a near universal service critical to securing and protecting data creates a unique situation. Attacks could use the combination of remote code execution with privilege elevation to quickly deploy, elevate and execute code on a target system with full system rights. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread laterally. This is a critical pair of vulnerabilities to address as soon as possible to minimize organizational risk.
Gina Geisel - CVE-2021-43233 - Remote Desktop Client Remote Code Execution Vulnerability - Critical
CVE-2021-43233 is another critical remote code execution vulnerability impacting the Microsoft Remote Desktop Client. Similar to November’s CVE-2021-38666, an attacker with control of a remote desktop server can trigger a remote code execution (RCE) on the remote desktop protocol (RDP) client machine for when a victim, with a vulnerable Remote Desktop Client, connects to the attacking server. Unlike the previous CVE, with a low attack complexity, CVE-2021-43233 has high attack complexity. To exploit this vulnerability, an attacker requires control of a server and then must convince users to connect to it, through social engineering, DNS poisoning, or using a Man in the Middle (MITM) technique, as examples. An attacker could also compromise a legitimate server, host malicious code on it, and wait for the user to connect.
Versions of Windows 7, 8, 10 and 11 are impacted as well as Windows Server 2004, 2012 2012 R2, 2016, 2019, 2022 and 20H2. Automox recommends applying this patch as soon as possible (restart is required).
Nicholas Colyer - CVE-2021-43899 - Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability - Critical
CVE-2021-43899 is a critical remote code execution vulnerability associated with the use of the Microsoft 4K Wireless Display Adapter on firmware versions below 3.9520.47. Through malicious packet crafting, an unauthenticated attacker on the same network could exploit this vulnerability. Installing the Microsoft Wireless Display Adapter app from the Microsoft Store is the official recommendation to resolve the vulnerability by downloading the latest firmware and updating the device while connected. The two-part process of having a physical device that may not always be connected means this vulnerability may be difficult to track down without an up-to-date asset management tracking solution.
Nicholas Colyer - CVE-2021-43240 - Windows NTFS Set Short Name Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2021-43240 is a publicly disclosed privilege elevation vulnerability due to an 8.3 Short Name (also referred to as a DOS File Name) issue with regard to Windows NTFS. There aren’t many details around this vulnerability other than the existence of proof-of-concept code. In general, 8.3 Short Name compatibility has a sordid history of privilege escalation issues. This issue is currently tracked in Security Update KB5008206 across various Windows releases; both 32-bit & 64-bit for patch resolution.
Justin Knapp - CVE-2021-43880 - Windows Mobile Device Management Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2021-43880 is a publicly disclosed elevation of privilege vulnerability in Windows Mobile Device Management. If successfully exploited, the vulnerability could enable an attacker to bypass access restrictions to delete files. Exploitation requires an attacker to first log on to the system before running a specially crafted application that could exploit the vulnerability and remove files. In this scenario, an attacker would only be able to delete files and would not have the ability to gain privileges to view or modify file contents. While this doesn’t exactly represent the greatest threat for December, it’s worth noting that the low level of complexity and effort could increase the likelihood of exploitation.
Peter Pflaster - CVE-2021-43883 - Windows Installer Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2021-43883 is an important and publicly-disclosed elevation of privilege vulnerability in Windows Installer. Windows Installer is a commonly used application for the installation, maintenance, and removal of software. To exploit, a threat actor would need to convince an end user to run malicious code on their machine, or obtain credentials to run the code locally themselves. The vulnerability sports a CVSS 3.1 Base score of 7.1 and Temporal Score of 6.4, and is more likely to be exploited according to Microsoft.
All versions of Windows 7, 8, 10, and 11 are affected, in addition to Windows Server 2004, 2008, 2012, 2012 R2, 2016, 2019, 20H2, and 2022. Patch this promptly, and be sure to update your devices after for the patch to take effect.
Chad McNaughton - CVE-2021-41333 - Windows Print Spooler Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2021-41333 feels like a bad re-run, as it’s yet another Windows Print Spooler vulnerability. Much like previous Print Spooler CVEs, this is a low-privilege/low-complexity, network-level remote code execution (RCE) vulnerability that requires no user interaction. Exploiting this vulnerability would allow an attacker to execute remote code on the targeted Windows device. Between the ongoing publicity and the official Microsoft solution(s), CVE-2021-41333 may still be a critical vulnerability, however, there are remediation steps to take. If you haven’t already done so, your Windows Print Spooler should be patched within the next 72hrs, as this has been an ongoing issue with Print Spooler for months now.
Chad McNaughton - CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability CVE-2021-43890 - High Exploited and Publicly Disclosed
CVE-2021-43890 is a spoofing vulnerability within Windows AppX Installer that is currently being exploited in the wild. Microsoft is aware of attacks that have attempted to exploit this vulnerability using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. By crafting a malicious attachment that can be used as part of a phishing campaign, an attacker could successfully bait a user into opening the malicious attachment. Users with accounts that are configured to have fewer user rights could be less impacted than users with full administrative rights. Given the critical nature of this vulnerability and the fact that there is active exploitation, organizations should take immediate action to remediate within the next 24 hours.
Google Emergency Chrome Update - Peter Pflaster
Adobe Update - Eric Feldman
Adobe has released 11 minor security updates that impact a number of applications including Adobe Premiere Pro, Adobe Connect, Adobe Photoshop, Adobe After Effects, Adobe Lightroom, Adobe Audition, and others. APSB21-101, APSB21-103, and APSB21-112 through APSB21-119, and APSB21-121 are all either arbitrary code execution, application denial-of-service, memory leak, arbitrary file system write, or privilege escalation vulnerabilities. Adobe has assigned all 11 security updates a “Priority Rating” of "3," the lowest defined level. Adobe recommends that administrators install “Priority 3” updates at their discretion.
Apple Update - Eric Feldman
Apple released a number of updates that address security issues and provide additional functionality. iOS 15.2 and iPadOS 15.2, macOS Monterey 12.1, macOS Big Sur 11.6.2, Security Update 2021-008 for macOS Catalina, tvOS 15.2, and watchOS 8.3 are now available. While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS.
Automox for Automated IT Operations
Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.
Demo Automox to see how you can immediately gain effortless command of your endpoints.