Patch Tuesday: Microsoft Fixes Zero-Day Spreading MalwareGoogle, Apple, Adobe Also Released Critical Updates
December’s Microsoft Patch Tuesday covers 67 security fixes, one of which is a zero-day vulnerability spreading Emotet malware. Five of the other bugs are listed as publicly known, but not yet exploited.
In addition to Microsoft’s patches, Google also released Chrome 96.0.4664.110 for Windows, Mac and Linux to address a zero-day bug tracked as CVE-2021-4102 that was reported by an anonymous security researcher. The update is available in the Stable Desktop channel.
"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," a Google security advisory states.
The company has not yet released more details on the bug.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed," Google say.
Microsoft on Tuesday released its final rollout of 2021 patches. Seven are classified as critical and 60 as important. They include seven spoofing vulnerabilities, 21 elevation of privilege vulnerabilities, 26 remote code execution vulnerabilities, 10 information disclosure vulnerabilities and three denial-of-service vulnerabilities.
"This is in addition to the 16 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the December total to 83 CVEs," according to Zero Day Initiative's Dustin Childs.
Microsoft's November Patch Tuesday security update covered 55 security fixes, six of which are zero-day vulnerabilities, with two flaws actively exploited in the wild (see: 55 Patches, 6 Zero Days - Is There a Backlog at Microsoft?).
"The total number of CVEs patched by Microsoft this year is 887 - a 29% decrease from 2020. This excludes the CVEs consumed from Chrome for the Edge (Chromium-based) browser. Based on recent reports, the Microsoft bug bounty program received approximately the same number of vulnerability reports," Childs says.
"It’s unclear if Microsoft is combining multiple submissions into a single CVE or if there is a significant backlog of patches just waiting to be released. It could lead to a rough 2022 for patching. At least there are no Exchange Server patches to worry about over the holidays."
Chris Goettl, vice president of product management at Ivanti, says December 2021’s Patch Tuesday comes on the heels of the Apache Log4j zero-day vulnerability CVE-2021-44228, so expect a lot of attention to be focused on vendors scrambling to resolve Log4j-related issues.
"That said, don’t lose sight of additional patch updates from Microsoft. There are a total of 67 unique vulnerabilities resolved by Microsoft so far in December, plus four rereleases. Of the 71 total CVEs resolved this month, seven are rated as critical, six have been identified as publicly disclosed and there is an additional zero-day to note - CVE-2021-43890," Goettl says.
The latest fixes address bugs in several Microsoft products and services, including Microsoft Windows and Windows Components, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, Windows Update Stack, ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Microsoft Office and Office Components, SharePoint Server and Defender for IoT, Edge (Chromium-based).
Tracked as CVE-2021-43890, Microsoft App Installer for Windows 10 has a spoofing vulnerability that allows the attacker to execute code.
The latest patch for this vulnerability fixes a bug in the AppX installer that affects Windows. Microsoft states it has seen the bug used in malware in the Emotet, Trickbot and BazaLoader families.
Zero Day Initiative's Childs says that an attacker would need to craft a malicious attachment to be used in phishing campaigns and convince the user to open this specially crafted attachment.
He says code execution likely would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. "This malware family has been going for some time now. It seems likely it will be around for a bit longer," Childs says.
Another critical bug, tracked as CVE-2021-43215 with a CVS score of 9.8, affects the Internet Storage Name Service, or iSNS, server and could allow remote code execution if an attacker sends a specially crafted request to an affected server.
Childs says iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. "If you’re running a SAN, or storage area network, in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. If you have a SAN, prioritize testing and deploying this patch," he says.
Microsoft also patched a bug - tracked as CVE-2021-43899 with a CVSS score of 9.8 - in the Microsoft 4K Wireless Display Adapter, which could allow remote code execution vulnerability if an unauthenticated attacker executes their code on an affected device.
According to Childs, if the attacker and the Microsoft 4K Display Adapter are on the same network, the attacker can send specially crafted packets to the affected device. "Patching this won’t be an easy chore," he says.
Childs recommends that users install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter.
A Visual Studio Code WSL Extension remote code execution vulnerability tracked as CVE-2021-43907 with a CVSS score of 9.8 also was patched in December's Patch Tuesday by Microsoft. The affected component lets a user use the Windows Subsystem for Linux, or WSL, as a full-time development environment from Visual Studio Code.
Childs say the component allows you to develop in a Linux-based environment, use Linux-specific tool chains and utilities, and run and debug Linux-based applications all from within Windows. "That sort of cross-platform functionality is used by many in the DevOps community," he says. "This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and it requires no user interaction, so if you use this extension, get this update tested and deployed quickly."
Another patched bug is a Microsoft SharePoint Server remote code execution vulnerability tracked as CVE-2021-42309. This bug was reported through Microsoft’s Zero Day Initiative program. The vulnerability lets an attacker elevate and execute code in the context of the service account.
The bug allows an attacker to bypass the restriction against running arbitrary server-side web controls, Childs says. An attacker would need Manage Lists permissions on a SharePoint site, but by default, any authorized user can create their own new site, where they have full permissions.
Other Notable Patches
Apple released a significant number of patches on Tuesday, which are available for iOS and iPad OS, macOS Monterey, macOS Big Sur, tvOS, and watchOS. The security updates also include fixes for Catalina.
"While none of the bugs patched are listed as being under active attack, several of these vulnerabilities were reportedly used during the last Tianfu Cup [(hacking event]," Childs say. "Exploits demonstrated at this contest have received a lot of attention in the past, and this bunch will likely receive the same amount of scrutiny from researchers and attackers alike."
Adobe released a set of 11 patches addressing around 60 CVEs in Media Encoder, Premiere Pro, Prelude, Dimension, Adobe Audition, Lightroom, After Effects, Photoshop, Experience Manager, Connect, and Premiere Rush.