Report Name: Microsoft Patch Tuesday, December 2021
Generated: 2021-12-16 00:36:06

Product Name	Prevalence	U	C	H	M	L	Comment
Microsoft Message Queuing	0.9				2		Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
SymCrypt	0.9			1			SymCrypt is the core cryptographic function library currently used by Windows
Windows AppX Installer	0.9			1			Windows AppX Installer is a utility for side-loading Windows 10 apps, available on the App Store
Windows Encrypting File System	0.9			1	1		Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption
Windows Kernel	0.9				5		Windows Kernel
Windows TCP/IP Driver	0.9				1		A kernel mode driver
ASP.NET Core	0.8				1		An open-source, server-side web-application framework designed for web development
DirectX Graphics Kernel	0.8				1		DirectX Graphics Kernel
Microsoft BizTalk ESB Toolkit	0.8				1		The Microsoft BizTalk ESB Toolkit uses BizTalk Server to support a loosely coupled messaging architectur
Microsoft Defender	0.8				1		Anti-malware component of Microsoft Windows
Microsoft Defender for IoT	0.8			8	1		Microsoft Defender for IoT provides comprehensive threat detection for IoT/OT environments
Microsoft Edge	0.8				4	1	Web browser
Microsoft Local Security Authority Server	0.8				1		Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system
Microsoft PowerShell	0.8				1		PowerShell or Microsoft PowerShell (formerly Windows PowerShell) is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language
Storage Spaces Controller	0.8				2		Storage Spaces Controller
Visual Basic for Applications	0.8				1		Visual Basic for Applications is a computer programming language developed and owned by Microsoft
Windows Common Log File System Driver	0.8				3		Windows component
Windows Event Tracing	0.8			1			Windows Event Tracing
Windows Fax Service	0.8			1			Windows Fax Service
Windows Installer	0.8				1		Windows Installer
Windows Media	0.8				1		Windows component
Windows NTFS	0.8				4		The default file system of the Windows NT family
Windows Print Spooler	0.8				1		Windows component
Windows Recovery Environment Agent	0.8				1		Windows component
Windows Remote Access Connection Manager	0.8				1		Windows component
Windows Remote Desktop Client	0.8			1			Remote Desktop Protocol Client
iSNS Server	0.8			1			An iSNS server uses the Internet Storage Name Service protocol to maintain information about active iSCSI devices on the network, including their IP addresses, iSCSI node names, and portal groups
HEVC Video Extensions	0.7			3			HEVC Video Extensions
Microsoft Jet Red Database Engine and Access Connectivity Engine	0.7				1		Microsoft Jet Red Database Engine and Access Connectivity Engine
Microsoft SharePoint	0.7			2	2		Microsoft SharePoint
VP9 Video Extensions	0.7				1		VP9 is an open and royalty-free video coding format developed by Google
Web Media Extensions	0.7			1			Web Media Extensions
Windows Mobile Device Management	0.7				1		Windows Mobile Device Management
Microsoft Excel	0.6			1			MS Office product
Microsoft Office	0.6			1	1		Microsoft Office
Microsoft Office Graphics	0.6			1			Microsoft Office Graphics
Windows Hyper-V	0.6				1		Hardware virtualization component of the client editions of Windows NT
Bot Framework SDK	0.4				1		Bot Framework SDK
Microsoft 4K Wireless Display Adapter	0.3				1		Microsoft device that can display wirelessly to a 4K TV or monitor over Miracast
Visual Studio Code	0.3				2	1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			22	4		Remote Code Execution
Denial of Service	0.7			1	2		Denial of Service
Memory Corruption	0.6				4		Memory Corruption
Elevation of Privilege	0.5				21		Elevation of Privilege
Information Disclosure	0.4				10		Information Disclosure
Spoofing	0.4			1	5	1	Spoofing
Unknown Vulnerability Type	0					1	Unknown Vulnerability Type

Urgent (0)

Critical (0)

High (24)

1. Spoofing - Windows AppX Installer (CVE-2021-43890) - High [589]

Description: Windows AppX Installer Spoofing Vulnerability. We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provded in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.

qualys: CVE-2021-43890 | Windows AppX Installer Spoofing Vulnerability. This vulnerability CVSS 7.1 is a Zero-Day known to be an actively exploited spoofing vulnerability in the AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.

tenable: CVE-2021-43890 is a spoofing vulnerability in the Windows AppX Installer, which is used to install AppX apps on Windows 10 systems. According to reports, this vulnerability has been exploited in the wild. It has been linked to attacks associated with the Emotet/TrickBot/Bazaloader family. To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would likely be conducted through a phishing attack. Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system. If patching isn’t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.

rapid7: This month’s Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228. In today’s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products — including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890, a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.

zdi: CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability. Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

2. Remote Code Execution - iSNS Server (CVE-2021-43215) - High [489]

Description: iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution

qualys: CVE-2021-43215 | iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution. This is a Remote Code Execution (RCE) vulnerability targeting the Internet Storage Name Service (iSNS) protocol. iSNS is used for interaction between iSNS servers and iSNS clients. An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in remote code execution. At CVSS 9.8, this critical vulnerability should be prioritized and patched quickly.

tenable: CVE-2021-43215 is a memory corruption vulnerability in the Internet Storage Name Service (iSNS) protocol. The iSNS protocol is used to facilitate communication between iSNS servers and clients. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable iSNS server. Successful exploitation would give an attacker remote code execution on the iSNS server. The vulnerability was assigned a CVSSv3 score of 9.8 out of 10 and is rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Fortunately, iSNS is not installed on Windows systems by default.

zdi: CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability. This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch.

3. Remote Code Execution - Windows Encrypting File System (CVE-2021-43217) - High [481]

Description: Windows Encrypting File System (EFS) Remote Code Execution Vulnerability

qualys: CVE-2021-43217 | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability. This is a Remote Code Execution (RCE) vulnerability targeting Encrypting File System (EFS) where an attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution, and with a CVSS score of 8.1, its important to patch quickly.

qualys: For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see KB5009763: EFS security hardening changes in CVE-2021-43217.

4. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-41365) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

5. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-42311) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

6. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-42313) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

7. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-42314) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

8. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-42315) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

9. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-43882) - High [475]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

10. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-42310) - High [462]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

11. Remote Code Execution - Windows Event Tracing (CVE-2021-43232) - High [462]

Description: Windows Event Tracing Remote Code Execution Vulnerability

12. Remote Code Execution - Windows Remote Desktop Client (CVE-2021-43233) - High [462]

Description: Remote Desktop Client Remote Code Execution Vulnerability

qualys: CVE-2021-43233 | Remote Desktop Client Remote Code Execution Vulnerability. This is a critical Remote Code Execution (RCE) vulnerability included in the monthly rollup for Windows, with a CVSS score of 7.5, this too tops the list of vulnerabilities needing to be patched quickly.

tenable: CVE-2021-43233 is a RCE in the Remote Desktop Client that received a CVSSv3 score of 7.5. Given past attacks against Remote Desktop Protocol (RDP), it is no surprise that Microsoft rated this “Exploitation More Likely.” Exploiting this flaw would require a vulnerable target to connect to a malicious RDP server. Successful exploitation would allow an attacker to execute arbitrary code on the machine of the connected client.

13. Remote Code Execution - Windows Fax Service (CVE-2021-43234) - High [462]

Description: Windows Fax Service Remote Code Execution Vulnerability

14. Remote Code Execution - Microsoft SharePoint (CVE-2021-42309) - High [456]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

zdi: CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

15. Remote Code Execution - Microsoft Office (CVE-2021-43905) - High [451]

Description: Microsoft Office app Remote Code Execution Vulnerability

qualys: CVE-2021-43905 | Microsoft Office app Remote Code Execution Vulnerability. This is an unauthenticated Remote Code Execution (RCE) vulnerability in the Microsoft Office app, important to patch quickly, as it has a high CVSS score of 9.6.

tenable: CVE-2021-43905 is a RCE vulnerability in the Microsoft Office app. It was assigned a CVSSv3 score of 9.6 and is rated “Exploitation More Likely.” To exploit this vulnerability, an attacker would have to create a malicious Microsoft Office document and convince a user through social engineering to open the document. Microsoft says that the Preview Pane is not an attack vector, which means exploitation requires opening the document, not merely previewing it. Because this vulnerability exists in the Microsoft Office app, the patch for this flaw will be distributed through the Microsoft Store as part of an automatic update.

16. Remote Code Execution - Microsoft Defender for IoT (CVE-2021-43889) - High [448]

Description: Microsoft Defender for IoT Remote Code Execution Vulnerability

17. Remote Code Execution - HEVC Video Extensions (CVE-2021-40452) - High [443]

Description: HEVC Video Extensions Remote Code Execution Vulnerability

18. Remote Code Execution - HEVC Video Extensions (CVE-2021-40453) - High [443]

Description: HEVC Video Extensions Remote Code Execution Vulnerability

19. Remote Code Execution - HEVC Video Extensions (CVE-2021-41360) - High [443]

Description: HEVC Video Extensions Remote Code Execution Vulnerability

20. Remote Code Execution - Web Media Extensions (CVE-2021-43214) - High [443]

Description: Web Media Extensions Remote Code Execution Vulnerability

21. Remote Code Execution - Microsoft SharePoint (CVE-2021-42294) - High [429]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

22. Remote Code Execution - Microsoft Excel (CVE-2021-43256) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability

23. Remote Code Execution - Microsoft Office Graphics (CVE-2021-43875) - High [424]

Description: Microsoft Office Graphics Remote Code Execution Vulnerability

24. Denial of Service - SymCrypt (CVE-2021-43228) - High [420]

Description: SymCrypt Denial of Service Vulnerability

Medium (46)

25. Remote Code Execution - Microsoft 4K Wireless Display Adapter (CVE-2021-43899) - Medium [394]

Description: Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability

zdi: CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability. This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

26. Remote Code Execution - Visual Studio Code (CVE-2021-43907) - Medium [394]

Description: Visual Studio Code WSL Extension Remote Code Execution Vulnerability

zdi: CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability. This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

27. Denial of Service - DirectX Graphics Kernel (CVE-2021-43219) - Medium [387]

Description: DirectX Graphics Kernel File Denial of Service Vulnerability

28. Remote Code Execution - Bot Framework SDK (CVE-2021-43225) - Medium [386]

Description: Bot Framework SDK Remote Code Execution Vulnerability

29. Elevation of Privilege - Windows Kernel (CVE-2021-43237) - Medium [379]

Description: Windows Setup Elevation of Privilege Vulnerability

30. Elevation of Privilege - Windows Kernel (CVE-2021-43238) - Medium [379]

Description: Windows Remote Access Elevation of Privilege Vulnerability

31. Elevation of Privilege - Windows Kernel (CVE-2021-43245) - Medium [379]

Description: Windows Digital TV Tuner Elevation of Privilege Vulnerability

32. Elevation of Privilege - Windows TCP/IP Driver (CVE-2021-43247) - Medium [379]

Description: Windows TCP/IP Driver Elevation of Privilege Vulnerability

33. Elevation of Privilege - Windows Kernel (CVE-2021-43248) - Medium [379]

Description: Windows Digital Media Receiver Elevation of Privilege Vulnerability

34. Elevation of Privilege - Windows Encrypting File System (CVE-2021-43893) - Medium [379]

Description: Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability

35. Remote Code Execution - Visual Studio Code (CVE-2021-43891) - Medium [367]

Description: Visual Studio Code Remote Code Execution Vulnerability

36. Elevation of Privilege - Windows Media (CVE-2021-40441) - Medium [360]

Description: Windows Media Center Elevation of Privilege Vulnerability

37. Elevation of Privilege - Windows Print Spooler (CVE-2021-41333) - Medium [360]

Description: Windows Print Spooler Elevation of Privilege Vulnerability

qualys: CVE-2021-41333 | Windows Print Spooler Elevation of Privilege Vulnerability. This Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity, along with a CVSS score of 7.8, which necessitates patching quickly.

tenable: CVE-2021-41333 is an EoP vulnerability in Windows Print Spooler that received a CVSSv3 rating of 7.8 and was marked “Exploitation More Likely.” Discovery of this vulnerability is credited to Abdelhamid Naceri with Trend Micro Zero Day Initiative, who is credited with two other vulnerabilities patched this month, and James Forshaw of Google Project Zero. This is just the latest in a series of vulnerabilities disclosed in Windows Print Spooler this year. Given the mass exploitation of prior Print Spooler vulnerabilities, users should apply these patches as soon as possible.

38. Elevation of Privilege - Microsoft Defender (CVE-2021-42312) - Medium [360]

Description: Microsoft Defender for IOT Elevation of Privilege Vulnerability

39. Elevation of Privilege - Windows Common Log File System Driver (CVE-2021-43207) - Medium [360]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

40. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2021-43223) - Medium [360]

Description: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

41. Elevation of Privilege - Windows Common Log File System Driver (CVE-2021-43226) - Medium [360]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

42. Elevation of Privilege - Windows NTFS (CVE-2021-43229) - Medium [360]

Description: Windows NTFS Elevation of Privilege Vulnerability

43. Elevation of Privilege - Windows NTFS (CVE-2021-43230) - Medium [360]

Description: Windows NTFS Elevation of Privilege Vulnerability

44. Elevation of Privilege - Windows NTFS (CVE-2021-43231) - Medium [360]

Description: Windows NTFS Elevation of Privilege Vulnerability

45. Elevation of Privilege - Windows NTFS (CVE-2021-43240) - Medium [360]

Description: NTFS Set Short Name Elevation of Privilege Vulnerability

tenable: CVE-2021-43240 is an EoP vulnerability in the New Technology File System (NTFS) set short name function. It received a CVSSv3 score of 7.8 and was rated “Exploitation Less Likely.” Despite being listed as publicly disclosed, discovery of this vulnerability was not credited to anyone. Earlier this year, another EoP flaw in the NFTS, CVE-2021-31956 was exploited as a zero day.

46. Elevation of Privilege - ASP.NET Core (CVE-2021-43877) - Medium [360]

Description: ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability

47. Elevation of Privilege - Windows Installer (CVE-2021-43883) - Medium [360]

Description: Windows Installer Elevation of Privilege Vulnerability

tenable: CVE-2021-43883 is an EoP vulnerability in Windows Installer. It appears this may address a patch bypass for CVE-2021-41379, publicly disclosed by Abdelhamid Naceri in November. At that time, Naceri also disclosed a separate zero day that does not appear to have been patched. However, Naceri is not credited with CVE-2021-43883, despite being credited with three other CVEs in this month’s release. CVE-2021-43883 received a CVSSv3 score of 7.8 and was marked “Exploitation More Likely,” indicating it is more severe than the original vulnerability. To exploit this vulnerability, an attacker would need to convince the target to open a specially crafted installer in order to gain elevated privileges.

rapid7: Interestingly, this round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there’s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability research team did a full root cause analysis of the bug as attacks ramped up in November.

rapid7: As usual, RCE flaws figure prominently in the “Critical”-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we’d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating.

48. Information Disclosure - Microsoft Message Queuing (CVE-2021-43222) - Medium [359]

Description: Microsoft Message Queuing Information Disclosure Vulnerability

49. Information Disclosure - Microsoft Message Queuing (CVE-2021-43236) - Medium [359]

Description: Microsoft Message Queuing Information Disclosure Vulnerability

50. Elevation of Privilege - Windows Recovery Environment Agent (CVE-2021-43239) - Medium [347]

Description: Windows Recovery Environment Agent Elevation of Privilege Vulnerability

51. Information Disclosure - Windows Kernel (CVE-2021-43244) - Medium [345]

Description: Windows Kernel Information Disclosure Vulnerability

52. Information Disclosure - Microsoft Defender for IoT (CVE-2021-43888) - Medium [340]

Description: Microsoft Defender for IoT Information Disclosure Vulnerability

53. Denial of Service - Windows Hyper-V (CVE-2021-43246) - Medium [336]

Description: Windows Hyper-V Denial of Service Vulnerability

54. Elevation of Privilege - Microsoft Jet Red Database Engine and Access Connectivity Engine (CVE-2021-42293) - Medium [328]

Description: Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability

55. Information Disclosure - Microsoft Local Security Authority Server (CVE-2021-43216) - Medium [327]

Description: Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability

56. Spoofing - Microsoft BizTalk ESB Toolkit (CVE-2021-43892) - Medium [327]

Description: Microsoft BizTalk ESB Toolkit Spoofing Vulnerability

57. Spoofing - Microsoft SharePoint (CVE-2021-42320) - Medium [321]

Description: Microsoft SharePoint Server Spoofing Vulnerability

58. Spoofing - Microsoft SharePoint (CVE-2021-43242) - Medium [321]

Description: Microsoft SharePoint Server Spoofing Vulnerability

59. Elevation of Privilege - Windows Mobile Device Management (CVE-2021-43880) - Medium [314]

Description: Windows Mobile Device Management Elevation of Privilege Vulnerability

60. Information Disclosure - Visual Basic for Applications (CVE-2021-42295) - Medium [313]

Description: Visual Basic for Applications Information Disclosure Vulnerability

61. Information Disclosure - Windows Common Log File System Driver (CVE-2021-43224) - Medium [313]

Description: Windows Common Log File System Driver Information Disclosure Vulnerability

62. Information Disclosure - Storage Spaces Controller (CVE-2021-43227) - Medium [313]

Description: Storage Spaces Controller Information Disclosure Vulnerability

63. Information Disclosure - Storage Spaces Controller (CVE-2021-43235) - Medium [313]

Description: Storage Spaces Controller Information Disclosure Vulnerability

64. Spoofing - Microsoft PowerShell (CVE-2021-43896) - Medium [313]

Description: Microsoft PowerShell Spoofing Vulnerability

65. Information Disclosure - VP9 Video Extensions (CVE-2021-43243) - Medium [294]

Description: VP9 Video Extensions Information Disclosure Vulnerability

66. Spoofing - Microsoft Office (CVE-2021-43255) - Medium [275]

Description: Microsoft Office Trust Center Spoofing Vulnerability

67. Memory Corruption - Microsoft Edge (CVE-2021-4099) - Medium [272]

Description: Chromium: CVE-2021-4099 Use after free in Swiftshader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

68. Memory Corruption - Microsoft Edge (CVE-2021-4100) - Medium [272]

Description: Chromium: CVE-2021-4100 Object lifecycle issue in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

69. Memory Corruption - Microsoft Edge (CVE-2021-4101) - Medium [272]

Description: Chromium: CVE-2021-4101 Heap buffer overflow in Swiftshader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

70. Memory Corruption - Microsoft Edge (CVE-2021-4102) - Medium [272]

Description: Chromium: CVE-2021-4102 Use after free in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.

zdi: Google is another vendor that doesn’t follow the patch Tuesday release cycle but still managed to release a significant update yesterday. The Chrome Stable channel has been updated to 96.0.4664.110, and the patch includes five security fixes. One of these bugs, CVE-2021-4102, a use-after-free bug in V8, is listed as having exploits in the wild. Three other High severity and one Critical severity bugs are also addressed. Tis the season to be shopping online. Make sure your browser is up to date as you do so. These bugs are not included in the Edge (Chromium-based) updates discussed below. If you’re interested in other V8 bugs, check out this series of blogs recently published by ZDI vulnerability researcher Hossein Lotfi.

Low (2)

71. Spoofing - Visual Studio Code (CVE-2021-43908) - Low [191]

Description: Visual Studio Code Spoofing Vulnerability

72. Unknown Vulnerability Type - Microsoft Edge (CVE-2021-4098) - Low [151]

Description: {'ms_cve_data_all': 'Chromium: CVE-2021-4098 Insufficient data validation in Mojo. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. ', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': '', 'combined_cve_data_all': ''}

Exploitation in the wild detected (1)

Spoofing (1)

• Windows AppX Installer (CVE-2021-43890)

qualys: CVE-2021-43890 | Windows AppX Installer Spoofing Vulnerability. This vulnerability CVSS 7.1 is a Zero-Day known to be an actively exploited spoofing vulnerability in the AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.

tenable: CVE-2021-43890 is a spoofing vulnerability in the Windows AppX Installer, which is used to install AppX apps on Windows 10 systems. According to reports, this vulnerability has been exploited in the wild. It has been linked to attacks associated with the Emotet/TrickBot/Bazaloader family. To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would likely be conducted through a phishing attack. Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system. If patching isn’t an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.

rapid7: This month’s Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228. In today’s security release, Microsoft issued fixes for 83 vulnerabilities across an array of products — including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890, a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.

zdi: CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability. Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (71)

Remote Code Execution (26)

• iSNS Server (CVE-2021-43215)

qualys: CVE-2021-43215 | iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution. This is a Remote Code Execution (RCE) vulnerability targeting the Internet Storage Name Service (iSNS) protocol. iSNS is used for interaction between iSNS servers and iSNS clients. An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in remote code execution. At CVSS 9.8, this critical vulnerability should be prioritized and patched quickly.

tenable: CVE-2021-43215 is a memory corruption vulnerability in the Internet Storage Name Service (iSNS) protocol. The iSNS protocol is used to facilitate communication between iSNS servers and clients. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable iSNS server. Successful exploitation would give an attacker remote code execution on the iSNS server. The vulnerability was assigned a CVSSv3 score of 9.8 out of 10 and is rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Fortunately, iSNS is not installed on Windows systems by default.

zdi: CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability. This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch.

• Windows Encrypting File System (CVE-2021-43217)

qualys: CVE-2021-43217 | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability. This is a Remote Code Execution (RCE) vulnerability targeting Encrypting File System (EFS) where an attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution, and with a CVSS score of 8.1, its important to patch quickly.

qualys: For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see KB5009763: EFS security hardening changes in CVE-2021-43217.

• Microsoft Defender for IoT (CVE-2021-41365, CVE-2021-42310, CVE-2021-42311, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889)
• Windows Event Tracing (CVE-2021-43232)
• Windows Fax Service (CVE-2021-43234)
• Windows Remote Desktop Client (CVE-2021-43233)

qualys: CVE-2021-43233 | Remote Desktop Client Remote Code Execution Vulnerability. This is a critical Remote Code Execution (RCE) vulnerability included in the monthly rollup for Windows, with a CVSS score of 7.5, this too tops the list of vulnerabilities needing to be patched quickly.

tenable: CVE-2021-43233 is a RCE in the Remote Desktop Client that received a CVSSv3 score of 7.5. Given past attacks against Remote Desktop Protocol (RDP), it is no surprise that Microsoft rated this “Exploitation More Likely.” Exploiting this flaw would require a vulnerable target to connect to a malicious RDP server. Successful exploitation would allow an attacker to execute arbitrary code on the machine of the connected client.

• Microsoft SharePoint (CVE-2021-42294, CVE-2021-42309)

zdi: CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

• Microsoft Office (CVE-2021-43905)

qualys: CVE-2021-43905 | Microsoft Office app Remote Code Execution Vulnerability. This is an unauthenticated Remote Code Execution (RCE) vulnerability in the Microsoft Office app, important to patch quickly, as it has a high CVSS score of 9.6.

tenable: CVE-2021-43905 is a RCE vulnerability in the Microsoft Office app. It was assigned a CVSSv3 score of 9.6 and is rated “Exploitation More Likely.” To exploit this vulnerability, an attacker would have to create a malicious Microsoft Office document and convince a user through social engineering to open the document. Microsoft says that the Preview Pane is not an attack vector, which means exploitation requires opening the document, not merely previewing it. Because this vulnerability exists in the Microsoft Office app, the patch for this flaw will be distributed through the Microsoft Store as part of an automatic update.

• HEVC Video Extensions (CVE-2021-40452, CVE-2021-40453, CVE-2021-41360)
• Web Media Extensions (CVE-2021-43214)
• Microsoft Excel (CVE-2021-43256)
• Microsoft Office Graphics (CVE-2021-43875)
• Microsoft 4K Wireless Display Adapter (CVE-2021-43899)

zdi: CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability. This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

• Visual Studio Code (CVE-2021-43891, CVE-2021-43907)

zdi: CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability. This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

• Bot Framework SDK (CVE-2021-43225)

Denial of Service (3)

• SymCrypt (CVE-2021-43228)
• DirectX Graphics Kernel (CVE-2021-43219)
• Windows Hyper-V (CVE-2021-43246)

Elevation of Privilege (21)

• Windows Encrypting File System (CVE-2021-43893)
• Windows Kernel (CVE-2021-43237, CVE-2021-43238, CVE-2021-43245, CVE-2021-43248)
• Windows TCP/IP Driver (CVE-2021-43247)
• ASP.NET Core (CVE-2021-43877)
• Microsoft Defender (CVE-2021-42312)
• Windows Common Log File System Driver (CVE-2021-43207, CVE-2021-43226)
• Windows Installer (CVE-2021-43883)

tenable: CVE-2021-43883 is an EoP vulnerability in Windows Installer. It appears this may address a patch bypass for CVE-2021-41379, publicly disclosed by Abdelhamid Naceri in November. At that time, Naceri also disclosed a separate zero day that does not appear to have been patched. However, Naceri is not credited with CVE-2021-43883, despite being credited with three other CVEs in this month’s release. CVE-2021-43883 received a CVSSv3 score of 7.8 and was marked “Exploitation More Likely,” indicating it is more severe than the original vulnerability. To exploit this vulnerability, an attacker would need to convince the target to open a specially crafted installer in order to gain elevated privileges.

rapid7: Interestingly, this round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there’s no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability research team did a full root cause analysis of the bug as attacks ramped up in November.

rapid7: As usual, RCE flaws figure prominently in the “Critical”-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we’d advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating.

• Windows Media (CVE-2021-40441)
• Windows NTFS (CVE-2021-43229, CVE-2021-43230, CVE-2021-43231, CVE-2021-43240)

tenable: CVE-2021-43240 is an EoP vulnerability in the New Technology File System (NTFS) set short name function. It received a CVSSv3 score of 7.8 and was rated “Exploitation Less Likely.” Despite being listed as publicly disclosed, discovery of this vulnerability was not credited to anyone. Earlier this year, another EoP flaw in the NFTS, CVE-2021-31956 was exploited as a zero day.

• Windows Print Spooler (CVE-2021-41333)

qualys: CVE-2021-41333 | Windows Print Spooler Elevation of Privilege Vulnerability. This Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity, along with a CVSS score of 7.8, which necessitates patching quickly.

tenable: CVE-2021-41333 is an EoP vulnerability in Windows Print Spooler that received a CVSSv3 rating of 7.8 and was marked “Exploitation More Likely.” Discovery of this vulnerability is credited to Abdelhamid Naceri with Trend Micro Zero Day Initiative, who is credited with two other vulnerabilities patched this month, and James Forshaw of Google Project Zero. This is just the latest in a series of vulnerabilities disclosed in Windows Print Spooler this year. Given the mass exploitation of prior Print Spooler vulnerabilities, users should apply these patches as soon as possible.

• Windows Remote Access Connection Manager (CVE-2021-43223)
• Windows Recovery Environment Agent (CVE-2021-43239)
• Microsoft Jet Red Database Engine and Access Connectivity Engine (CVE-2021-42293)
• Windows Mobile Device Management (CVE-2021-43880)

Information Disclosure (10)

• Microsoft Message Queuing (CVE-2021-43222, CVE-2021-43236)
• Windows Kernel (CVE-2021-43244)
• Microsoft Defender for IoT (CVE-2021-43888)
• Microsoft Local Security Authority Server (CVE-2021-43216)
• Storage Spaces Controller (CVE-2021-43227, CVE-2021-43235)
• Visual Basic for Applications (CVE-2021-42295)
• Windows Common Log File System Driver (CVE-2021-43224)
• VP9 Video Extensions (CVE-2021-43243)

Spoofing (6)

• Microsoft BizTalk ESB Toolkit (CVE-2021-43892)
• Microsoft SharePoint (CVE-2021-42320, CVE-2021-43242)
• Microsoft PowerShell (CVE-2021-43896)
• Microsoft Office (CVE-2021-43255)
• Visual Studio Code (CVE-2021-43908)

Memory Corruption (4)

• Microsoft Edge (CVE-2021-4099, CVE-2021-4100, CVE-2021-4101, CVE-2021-4102)

zdi: Google is another vendor that doesn’t follow the patch Tuesday release cycle but still managed to release a significant update yesterday. The Chrome Stable channel has been updated to 96.0.4664.110, and the patch includes five security fixes. One of these bugs, CVE-2021-4102, a use-after-free bug in V8, is listed as having exploits in the wild. Three other High severity and one Critical severity bugs are also addressed. Tis the season to be shopping online. Make sure your browser is up to date as you do so. These bugs are not included in the Edge (Chromium-based) updates discussed below. If you’re interested in other V8 bugs, check out this series of blogs recently published by ZDI vulnerability researcher Hossein Lotfi.

Unknown Vulnerability Type (1)

• Microsoft Edge (CVE-2021-4098)