• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

Prioritize These December Microsoft Patches

As if Log4j wasn't enough, Microsoft issues patches for several critical remote code execution vulnerabilities this month.

December 14, 2021 Zachary Comeau Leave a Comment

December Microsoft Patches

As system administrators, cybersecurity experts and other IT professionals work around the clock to address the Log4j vulnerability, Microsoft, Google, Apple, Adobe released a slew of security patches this week that address significant software flaws.

Microsoft and Adobe followed the typical patch Tuesday cycle, releasing a total of 78 patches across products from the two IT behemoths. However, Google and Apple also released significant security patches that IT admins should apply quickly.

For December, Microsoft issued patches for 67 vulnerabilities across a wide variety of products, including Windows, SP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.

According to Trend Micro’s Zero Day Initiative (ZDI) blog, that brings Microsoft’s total number of December patches to 83 after the company patched 16 CVEs in Microsoft Edge earlier this month.

Based on insight from the blog, here is a look at some of the Microsoft vulnerabilities that should be patched immediately.

CVE-2021-43890 – Windows AppX Installer Spoofing Vulnerability

According to ZDI, this vulnerability is in the AppX installer for Windows, and it is being used in malware in the Emotet/Trickbot/Bazaloader family. It is the only Microsoft vulnerability patched that is currently under active exploitation. In a successful exploit, an attacker crafts a malicious attachment to be used in phishing campaigns convinces the user to open it. Code execution occurs at the logged-on user level, so attackers would need to combine this with another bug to take control of a system.

“Emotet is like that holiday guest that just won’t take a hint and leave,” ZDI says in the blog. “This malware family has been going for some time now. It seems like it will be around for a bit longer.”

CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability

This vulnerability is in the Internet Storage Name Service (iSNS) sever that could allow remote code execution if an attacker sends a crafted request to an affected server. According to ZDI, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. If you’re running a SAN in your IT environment, you either have an iSNS server or you configure each of the logical interfaces individually. This bug’s CVSS score is 9.8, so it is one to prioritize.

CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability

This vulnerability in the company’s 4K Wireless Display Adapter patched in Microsoft’s Tuesday release could allow an unauthenticated attacker to execute code on an affected device. To successfully exploit this, an attacker needs to be on the same network as the 4K Display Adapter to send specially crafted packets to the affected device. According to ZDI, this will be a difficult patch because users need to install the Microsoft Wireless Display Adapter application from the company’s store onto a system connected to the adapter. Then, they can update via the “Update & Security” section of the app. This vulnerability’s CVSS score is also 9.8, so it’s another to prioritize if you use those adapters.

 CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability

This is another CVSS 9.8 flaw, a remote code execution vulnerability in the Visual Studio Code Windows Subsystem for Linux Extension. According to ZDI, the impacted product lets users use the Windows Subsystem for Linux (WSL) as a ful-time development environment from Visual Studio Code. This allows users to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. The patch fixes a remote code execution flaw in the extension.

ZDI notes that Microsoft does not offer many details about how that code execution can occur, but it is listed as unauthenticated and requiring no user interaction, so admins should patch this quickly.

CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability

This vulnerability allows a user to elevate and execute code in the context of the service account, and attackers would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site with full permissions. The bug allows an attacker to bypass restrictions against running arbitrary server-side web controls.

Patch these Adobe, Google, Apple bugs, too

ZDI also noted that Adobe released 11 patches to fix 60 vulnerabilities in Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush.

The most severe of these updates impacts Adobe Experience Manager, with the patch fixing eight different flaws, including one rated as CVSS 9.8 and several stored cross-site scripting (XSS) issues.

None of the Adobe bugs are listed as publicly known or under active exploitation.

The blog also noted several Google Chrome security fixes, including a suer-after-free bug in V8 that is listed as being exploited in the wild.

Meanwhile, Apple also released significant patches this week for iOS, iPadOS, macOS, Monterey, macOS Big Sur, tvOS and watchOS, ZDI notes.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Adobe, Apple, Cybersecurity, Google, Microsoft, Patch management, Vulnerability

Related Content:

  • FTC Ring FTC Accuses Ring of Watching Private Videos, Poor…
  • Threat Detection Trends, 2023 Hacking Trends, Expel New Email Rules, MFA Bypass Are Top Hacking…
  • Lucidworks logo Lucidworks Strengthens Partnership with Google Cloud
  • Crowdstrike Charlotte AI CrowdStrike Launches Virtual Security Assistant Charlotte AI

Free downloadable guide you may like:

  • Download TechDecisions' Blueprint Series report on Security Awareness now!Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

    Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared to defend against them in this report from TechDecisions' Blueprint Series.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

ChatGPT, generative AI, enterprise, workplace
Blueprint Series: ChatGPT and Generative AI in the Workplace

This latest release of the TechDecisions Blueprint Series explores the new phenomenon of tools such as ChatGPT and how IT leaders should go about d...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.