Microsoft November Security Patches Address 55 Vulnerabilities
Microsoft on Tuesday released its November security patch bundle, addressing 55 common vulnerabilities and disclosures (CVEs).
The November bundle seems unexpectedly light given that Microsoft typically releases smaller patch loads in December before the holidays, explained Dustin Childs in Trend Micro's Zero Day Initiative (ZDI) blog, which offers counts and analyses. Security solutions firm Automox described Microsoft's November patch count as representing a "27% reduction from the monthly average so far this year," per Automox patch Tuesday commentary.
Of the 55 CVEs getting patches, six are rated "Critical" by researchers, while all of the rest are deemed "Important." Four Important CVEs in the bunch are said to be publicly known, which ups risks for organizations. Two Important CVEs were described as having been exploited, meaning they are currently getting used in active attacks.
Microsoft offers "Release Notes" for the November patches at this page, which has pointers to FAQs and workarounds, along with a list of the affected products.
The two CVEs getting used in attacks are CVE-2021-42321, an Important vulnerability in Microsoft Exchange Server that can lead to remote code execution (RCE) attacks, and CVE-2021-42292, an Important vulnerability in Excel that bypasses security protections.
The Exchange Server vulnerability, with a Common Vulnerability Scoring System (CVSS) ranking of 8.8 out of 10, requires the attacker to be authenticated on a system, but it's an active threat. Organizations should patch it "as soon as possible," said Satnam Narang, a staff research engineer at security solutions firm Tenable, in released comments. It's yet another Exchange Server problem to address.
"Microsoft Exchange Server has been the subject of several notable vulnerabilities throughout 2021, from ProxyLogon and associated vulnerabilities, as well as ProxyShell," Narang noted.
Microsoft also on Tuesday released general November Exchange Server security updates guidance, which can be found in this announcement.
The Excel exploit, which is active, isn't really described by Microsoft. It allows the bypassing of security settings on machines. Childs speculated it could be associated with attached Excel files that can load code. He also noted that there's currently no patch available for Office for Mac users.
Narang explained a little more about the Excel vulnerability in a released comment:
Microsoft's Security Threat Intelligence Center (MSTIC) is credited with discovering this flaw, and they say that it was exploited in the wild as a zero-day. Microsoft says that the Outlook Preview Pane is not an attack vector for this vulnerability, so a target would need to open the file in order for exploitation to occur. Updates are primarily available for Windows systems, but updates for Office for Mac are not yet published.
The Publicly Known
The four publicly known vulnerabilities in this month's patch bundle were described as Important by security researchers.
The 3D Viewer issues were reported by ZDI's Mat Powell after Microsoft "failed to meet our disclosure timeline," Childs explained, and they date back to "June and July." Opening a specially crafted file could lead to RCE.
The RDP vulnerabilities are easy to carry out if an attacker has administrative privileges, Automox explained in its commentary:
Threat actors with administrative privileges can exploit these vulnerabilities with a low complexity attack locally (with a login session on the vulnerable system). If successful, the attacker would gain read access to Windows RDP client passwords. Exposed systems include Windows 7+ (including Windows 11), as well as Windows Server 2004+ (including Server 2022).
The six critical vulnerabilities all can enable RCE. They include:
- CVE-2021-42279, a memory corruption issue in the Chakra scripting engine used in Microsoft Edge browsers (CVSS 4.2).
- CVE-2021-42298, a vulnerability in Microsoft Defender (CVSS 7.8).
- CVE-2021-42316, a vulnerability in Microsoft Dynamics 365 for on-premises environments (CVSS 8.7).
- CVE-2021-26443, a vulnerability in the Microsoft Virtual Machine Bus (CVSS 9).
- CVE-2021-3711, a vulnerability in OpenSSL (CVSS 9.8).
- CVE-2021-38666, a vulnerability in client machines using RDP when attackers have control of a Remote Desktop Server.
Microsoft indicated that no action is needed for the Critical Microsoft Defender vulnerability if organizations permit automatic malware definition updates to the product. The Microsoft Malware Protection Engine version should be at 1.1.18700.3 or later, according to Automox.
The Microsoft Defender vulnerability was described as "most concerning" by Danny Kim, principal architect at Virsec, in part because it bears an "exploitation more likely" assessment by Microsoft.
"This CVE [CVE-2021-42298 for Microsoft Defender] does require some user interaction," Kim said in a released statement. "However, we have seen in the past how attackers can use social engineering/phishing emails to achieve such interaction fairly easily."
The Critical vulnerability in Microsoft Virtual Machine Bus is described as being "less likely" by Microsoft, and involves an authenticated attacker sending a specially crafted packet to the host, but it can lead to all sorts of attacks from there. Automox explained the Virtual Machine Bus attack scenario, as follows, in its commentary:
A successful attack requires no user interaction and allows the attacker to execute arbitrary code in the host operating system. Impacted systems include Windows 10, 11, and Windows Server 2019, 2022, 2004. Threat actors can use the exploit for several nefarious activities such as denial of service (DoS) attacks on any virtual machine that shares the same host, access to personal information stored on impacted VMs, and more.
Moreover, the Virtual Machine Bus vulnerability has been around for a while and has a high CVSS ranking.
"With a CVSS of 9.0, this [CVE-2021-26443 Virtual Machine Bus flaw] is one of the more severe vulnerabilities fixed this month," Childs noted. "Based on the CVE number, this has been known to Microsoft for a few months."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.