Microsoft released patches for 67 CVEs in its latest December 2021 Patch Tuesday update. Out of 67 vulnerabilities, 60 were deemed important, and seven were critical. Six zero-day vulnerabilities have also been fixed, which were being exploited in the wild.
The December 2021 Patch Tuesday update resolved vulnerabilities affecting Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.
- CVE-2021-43890: A spoofing vulnerability in Windows AppX Installer is a zero-day vulnerability and under exploitation. Microsoft says that it is “aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.” This could be used in launching phishing campaigns.
- CVE-2021-41333: The Windows Print Spooler Elevation of Privilege Vulnerability has been made public and has low attack complexity.
- CVE-2021-43880: The Windows Mobile Device Management Elevation of Privilege (EoP) Vulnerability has been made public but not been exploited. The attacker can only delete targeted files on a system but cannot gain privileges to view or modify file contents.
- CVE-2021-43893: The Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability was reported by James Forshaw of Google Project Zero. The vulnerability has been made public but not been exploited.
- CVE-2021-43240: NTFS Set Short Name Elevation of Privilege Vulnerability has been made public but not known to be exploited.
- CVE-2021-43883: Windows Installer Elevation of Privilege Vulnerability has been made public but not known to be exploited.
For #PatchTuesday, @briankrebs shares a round-up of security updates from Microsoft, Adobe, & Google, incl. Microsoft’s fix for patch bypass CVE-2021-43883, an elevation of privilege vuln in Windows Installer.
— Tenable (@TenableSecurity) December 15, 2021
Tenable has identified three vulnerabilities as critical:
- CVE-2021-43215is a memory corruption vulnerability in the Internet Storage Name Service (iSNS) protocol.
- CVE-2021-43905is a RCE vulnerability in the Microsoft Office app.
- CVE-2021-43233is a RCE in the Remote Desktop Client.
Brian Krebs, on krebsonsecurity.com, shared, “The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. This month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.”
The remote code execution (RCE) vulnerability “Log4Shell” in the Apache Log4j library allows attackers to execute arbitrary code and take full control of the vulnerable devices. It is a popular Java logging library leveraged by numerous organizations worldwide to enable logging in a wide set of popular applications. It is being viewed as one of the most devastating flaw and we have just begin to explore the tip of the iceberg. Read the full story here.