Microsoft December Security Patches Arrive, but Log4j Takes Center Stage
Microsoft on Tuesday released security patches for 67 common vulnerabilities and exploits, even as organizations are scrambling to address a Log4j flaw in Apache servers that's under active exploit.
Of Microsoft's December patch total, seven vulnerabilities are labeled "Critical" by security researchers. There are six "Important" vulnerabilities, but they've all been publicly exposed before Microsoft's Tuesday patch release, which ups risks for organizations.
In addition, one of those six Important vulnerabilities, namely CVE-2021-43890, a Windows AppX Installer spoofing flaw for Windows 10 systems, is known to have been exploited. It's this month's zero-day vulnerability.
CVE-2021-43890 has been "linked to attacks associated with the Emotet/TrickBot/Bazaloader family," which was shut down in January but reemerged in November, according to Satnam Narang, staff research engineer at security solutions firm Tenable, via e-mail. He explained how an attack might work, as follows:
To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack. Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system. If patching isn't an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.
A nice overall summary of Microsoft's December patches can be found in this Trend Micro Zero Day Initiative post by Dustin Childs. Good commentary by Automox security experts can also be found in Automox's December "Patch Tuesday" post.
Also released this month were Adobe patches, Apple patches and Google Chrome patches.
There's no end to the amount of alerts about a security flaw in Log4j. Alerts popped up on Friday, and have poured forth ever since. The volume of Log4j alerts seems almost to eclipse the scale of Microsoft's monthly "update Tuesday" patch event, which is generally a pretty big thing.
Log4j is a Java code logging utility overseen by the Apache Software Foundation that's widely used in Web servers. It's subject to remote code execution attacks by sending the server log messages, typically via HTTP requests. Attackers can use this method to direct Log4j's lookup function to a Lightweight Directory Access Protocol (LDAP) server that the attackers control.
Many organizations are affected by the Log4j vulnerability. Security solutions firm Huntress offered a short list, noting that millions of apps use it, including apps from "Apple, Twitter, Steam, Tesla, Apache (e.g. Apache Struts, Solr and Druid), ElasticSearch and video games (e.g. Minecraft)."
Update 12/15: A spokesperson for Redis clarified that "that none of Redis' services have been impacted by the Log4j vulnerability," so that entry was deleted from Huntress' list of affected software. For a CISA list of affected software, maintained, in part, by security researcher Kevin Beaumont, see this GitHub page.
Attacks using the Log4j vulnerability are presently active. They are being labeled "Log4Shell," and denoted as CVE-2021-44228, a vulnerability that scores 10 (out of 10) on the Common Vulnerability Scoring System (CVSSS) threat ranking index.
Almost every organization that addresses software security has issued advice on the Log4j vulnerability, such as upgrading to Log4j version 2.15.0. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a notice on Friday, followed by a "Guidance" post and a community-sourced repository. French security professional "SwitHak" has compiled a list of vendor and organizational advice on the Log4j issue in this GitHub post.
Organizations may not even know if they are using Log4j. Security solutions provider Trend Microsoft has released a scanner tool to detect it in a computing environment. It also described the Log4Shell problem in this post.
Critical Microsoft Vulnerabilities
The seven Critical vulnerabilities in Microsoft's December patch bundle are all rated high on the CVSS index, with three having scores of 9.8. Here's a list of them:
- CVE-2021-43215, an iSNS Server remote code execution (RCE) vulnerability (CVSS 9.8).
- CVE-2021-43899, a Microsoft 4K Wireless Display Adapter RCE vulnerability (CVSS 9.8).
- CVE-2021-43907, a Visual Studio Code Windows Subsystem for Linux extension RCE vulnerability (CVSS 9.8).
- CVE-2021-43905, a Microsoft Office app RCE vulnerability (CVSS 9.6).
- CVE-2021-42310, a Microsoft Defender for IoT RCE vulnerability (CVSS 8.1).
- CVE-2021-43217, a Windows Encrypting File System RCE vulnerability (CVSS 8.1).
- CVE-2021-43233, a Remote Desktop client RCE vulnerability (CVSS 7).
The iSNS Server vulnerability is yet another example, like Log4j, that organizations are subject to vulnerabilities in little-known third-party software components, according to Danny Kim, a principal architect at Virsec, via e-mail:
A recent CVE from Microsoft (CVE-2021-43215) regarding their iSNS server is another example of a RCE vulnerability found in 3rd party software. This vulnerability allows a user with a specially crafted input to execute arbitrary code on the host.
The iSNS Server vulnerability enables a "low complexity attack," according to Automox's Aleks Haugom. "A successful attack requires no user interaction and allows the attacker to execute arbitrary code," Haugom added.
Publicly Known Microsoft Vulnerabilities
The six Important publicly known vulnerabilities getting patches in this month's Microsoft bundle include the following (plus the above-described CVE-2021-43890 Windows AppX Installer flaw):
IT pros may be experiencing some déjà vu with yet another Windows Print Spooler patch this month (think "PrintNightmare"). It's yet another one to patch, according to Automox's Chad McNaughton:
CVE-2021-41333 feels like a bad re-run, as it's yet another Windows Print Spooler vulnerability. Much like previous Print Spooler CVEs, this is a low-privilege/low-complexity, network-level remote code execution (RCE) vulnerability that requires no user interaction. Exploiting this vulnerability would allow an attacker to execute remote code on the targeted Windows device.
Year-End Tallies of Microsoft Patches
Microsoft issued patches for 887 CVEs this year, which represents "a 29% decrease from 2020," according to Trend Micro's count reported by Childs. He excluded some Edge patches released before update Tuesday in figuring that overall number.
Automox counted a total of 892 vulnerabilities patched by Microsoft this year, with 101 rated Critical and 23 known to have been exploited for the year. Microsoft's high point (or low point security wise) came in July, with a whopping 116 CVEs and 12 Critical vulnerabilities addressed, according to Automox, which offers a nice graph showing Microsoft's annual patch performance.
As usual, Microsoft is mum on counting its own patches. Microsoft's official publication is its sprawling Security Update Guide, which offers boilerplate descriptions of the fixes. Microsoft's "Release Notes" for December summarizes the affected software and lists "known issues," plus mitigations, workarounds and FAQs.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.