Microsoft released its monthly Patch Tuesday update as per its schedule on 14 November, and with security teams still assessing the fall-out from the Log4Shell Apache Log4j vulnerability (CVE-2021-44228) – probably the most impactful security disclosure since Heartbleed – defenders are coming under increasing pressure and risk burning out.
Microsoft’s December update included fixes for 67 unique common vulnerabilities and exposures (CVEs), seven of them rated critical, six already being actively exploited, including a zero-day that is being used to spread the newly reinvigorated Emotet.
But with the past 24 hours also seeing patch drops from Adobe, Apple, Cisco, Google Chrome, SAP and VMware, Calvin Gan of F-Secure’s Tactical Defence Unit said there was a clear risk that security teams are by now becoming overwhelmed.
“Defenders are battling against time in patching affected systems, which is not as direct as simply upgrading, while also fending off exploitation attempts that have been increasing in recent days,” said Gan.
“The ease of executing the [Log4j] exploit meant that the time to patch has been significantly shorter, combined with the different mass scanning attempts on the internet by various entities, making it much harder for defenders to comb through the logs and identify potential breaches.
“While the full impact is currently unknown, it is anticipated that organisations would have to engage all available resources and work overtime to mitigate this vulnerability, while blocking potential attacks.”
Ivanti’s Chris Goettl added: “Expect a lot of attention to be focused on vendors scrambling to resolve Log4j-related issues, but that said, don’t lose sight of additional Patch updates from Microsoft.
“Efforts to identify, mitigate or remediate the Apache Log4j vulnerability continue. In this case it is leaving a lot of teams frustrated, not knowing exactly what they need to do. The best guidance is to continue to rely on your DevSecOps processes and vulnerability scanning, and supplement this with more direct action as there will likely be gaps for some time in detection.”
Kev Breen, director of cyber threat research at Immersive Labs, said: “I expect many security teams will be heavily invested in a Log4j resolution – but that doesn’t stop the world from turning. As always, you know your risks and your estate, so you should make patching and update decisions accordingly. Take a breath, look at the release from Microsoft, and prioritise or deprioritise accordingly.”
Of the 67 Microsoft CVEs, probably the most worthy of immediate attention is CVE-2021-43890. This is the abovementioned zero-day, a spoofing vulnerability in Windows AppX Installer which, according to Microsoft, has been used to spread malware in the Emotet/Trickbot/Bazarloader family.
Dustin Childs of the Zero Day Initiative explained: “An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system.”
Also attracting attention this month is CVE-2021-43883, an elevation-of-privilege vulnerability in Windows Installer, which is somewhat unusual in that it seems be a fix for a bypass of a bug that was already fixed in November – CVE-2021-41379. Caitlin Condon, engineering manager at Rapid7, explained: “While there is no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began.
“The zero-day vulnerability, which researchers hypothesised was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability research team did a full root-cause analysis of the bug as attacks ramped up in November.”
The other critical vulnerabilities in the Microsoft update are all remote code execution (RCE) vulnerabilities. These are CVE-2021-42310 in Microsoft Defender for IoT, CVE-2021-43215 in iSNS Server, CVE-2021-43217 in Windows Encrypting File System, CVE-2021-43233 in Remote Desktop Client, CVE-2021-43899 in Microsoft 4K Wireless Display Adapter, CVE-2021-43905 in Microsoft Office app, and CVE-2021-43907 in Visual Studio Code WSL Extension.