As system administrators, cybersecurity experts and other IT professionals work around the clock to address the Log4j vulnerability, Microsoft, Google, Apple, Adobe released a slew of security patches this week that address significant software flaws.
Microsoft and Adobe followed the typical patch Tuesday cycle, releasing a total of 78 patches across products from the two IT behemoths. However, Google and Apple also released significant security patches that IT admins should apply quickly.
For December, Microsoft issued patches for 67 vulnerabilities across a wide variety of products, including Windows, SP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.
According to Trend Micro’s Zero Day Initiative (ZDI) blog, that brings Microsoft’s total number of December patches to 83 after the company patched 16 CVEs in Microsoft Edge earlier this month.
Based on insight from the blog, here is a look at some of the Microsoft vulnerabilities that should be patched immediately.
CVE-2021-43890 – Windows AppX Installer Spoofing Vulnerability
According to ZDI, this vulnerability is in the AppX installer for Windows, and it is being used in malware in the Emotet/Trickbot/Bazaloader family. It is the only Microsoft vulnerability patched that is currently under active exploitation. In a successful exploit, an attacker crafts a malicious attachment to be used in phishing campaigns convinces the user to open it. Code execution occurs at the logged-on user level, so attackers would need to combine this with another bug to take control of a system.
“Emotet is like that holiday guest that just won’t take a hint and leave,” ZDI says in the blog. “This malware family has been going for some time now. It seems like it will be around for a bit longer.”
CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability
This vulnerability is in the Internet Storage Name Service (iSNS) sever that could allow remote code execution if an attacker sends a crafted request to an affected server. According to ZDI, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. If you’re running a SAN in your IT environment, you either have an iSNS server or you configure each of the logical interfaces individually. This bug’s CVSS score is 9.8, so it is one to prioritize.
CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
This vulnerability in the company’s 4K Wireless Display Adapter patched in Microsoft’s Tuesday release could allow an unauthenticated attacker to execute code on an affected device. To successfully exploit this, an attacker needs to be on the same network as the 4K Display Adapter to send specially crafted packets to the affected device. According to ZDI, this will be a difficult patch because users need to install the Microsoft Wireless Display Adapter application from the company’s store onto a system connected to the adapter. Then, they can update via the “Update & Security” section of the app. This vulnerability’s CVSS score is also 9.8, so it’s another to prioritize if you use those adapters.
CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability
This is another CVSS 9.8 flaw, a remote code execution vulnerability in the Visual Studio Code Windows Subsystem for Linux Extension. According to ZDI, the impacted product lets users use the Windows Subsystem for Linux (WSL) as a ful-time development environment from Visual Studio Code. This allows users to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. The patch fixes a remote code execution flaw in the extension.
ZDI notes that Microsoft does not offer many details about how that code execution can occur, but it is listed as unauthenticated and requiring no user interaction, so admins should patch this quickly.
CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This vulnerability allows a user to elevate and execute code in the context of the service account, and attackers would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site with full permissions. The bug allows an attacker to bypass restrictions against running arbitrary server-side web controls.
Patch these Adobe, Google, Apple bugs, too
ZDI also noted that Adobe released 11 patches to fix 60 vulnerabilities in Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush.
The most severe of these updates impacts Adobe Experience Manager, with the patch fixing eight different flaws, including one rated as CVSS 9.8 and several stored cross-site scripting (XSS) issues.
None of the Adobe bugs are listed as publicly known or under active exploitation.
The blog also noted several Google Chrome security fixes, including a suer-after-free bug in V8 that is listed as being exploited in the wild.
Meanwhile, Apple also released significant patches this week for iOS, iPadOS, macOS, Monterey, macOS Big Sur, tvOS and watchOS, ZDI notes.