-Microsoft Security Updates – December 2021:
Microsoft issued fixes for 67 vulnerabilities in a variety of products in today’s security release, including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 and seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month’s release is CVE-2021-43890 (CVSS score of 7.1), a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has clearly been used in Emotet malware campaigns.
This round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug with a scant advisory even though it appears to affect all supported versions of Windows. While there is no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 appears to be the fix for a zero-day vulnerability that made headlines last month after proof-of-concept exploit code was released and in-the-wild attacks began. Researchers hypothesized that the zero-day vulnerability was a patch bypass for CVE-2021-41379, allowing low-privileged attackers to overwrite protected files and escalate to SYSTEM. As the number of attacks increased in November, vulnerability researchers conducted a thorough root cause analysis of the bug.
-The complete list of critical vulnerabilities for comparison is highlighted below:
|CVE-2021-43215||iSNS Server Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2021-43899||Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2021-42310||Microsoft Defender for IoT Remote Code Execution Vulnerability||Critical||8.1||No||No||RCE|
|CVE-2021-43905||Microsoft Office app Remote Code Execution Vulnerability||Critical||9.6||No||No||RCE|
|CVE-2021-43233||Remote Desktop Client Remote Code Execution Vulnerability||Critical||7||No||No||RCE|
|CVE-2021-43907||Visual Studio Code WSL Extension Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2021-43217||Windows Encrypting File System (EFS) Remote Code Execution Vulnerability||Critical||8.1||No||No||RCE|
This month’s “Critical” rated CVEs include several RCE flaws. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the significant risk posed by the majority of vulnerable Log4Shell implementations, administrators should prioritize patches for any products affected by CVE-2021-44228.