For anyone about to sit back after checking their environment for the Log4j vulnerabilities and applying patches where needed, here are some more things that need patching.
In 2021’s final Patch Tuesday, Microsoft included a total of 67 fixes for security vulnerabilities. The total set of updates includes patches for six publicly known bugs and seven critical security vulnerabilities.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution vulnerability. Due to a flaw in the password reset request process, an attacker can reset someone else’s password. The attack may be launched remotely. No form of authentication is required for exploitation.
CVE-2021-43905 Microsoft Office app Remote Code Execution vulnerability. This vulnerability was rated 9.6 out of 10 on the CVSS vulnerability-severity scale, and Microsoft thinks it is likely to be exploited.
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution vulnerability. This vulnerability was rated 9.8 out of 10 on the CVSS vulnerability-severity scale, even though Microsoft says it's not likely to be exploited. You will need to install the Microsoft Wireless Display Adapter app from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Once installed, use the Update & security section of the app to download and install the latest firmware.
CVE-2021-43890 Windows AppX Installer Spoofing vulnerability. This vulnerability allows an attacker to create a malicious package file and then modify it to look like a legitimate application. We reported on this vulnerability being used in the wild by Emotet (among others).
CVE-2021-43883 Windows Installer Elevation of Privilege vulnerability. This is a patch to patch a bypassed patch in Windows Installer that was initially fixed in November. By exploiting this vulnerability, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.
CVE-2021-43215 iSNS Server Memory Corruption vulnerability can lead to remote code execution (RCE). An attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in an RCE. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients.
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution vulnerability. An attacker could cause a buffer overflow write leading to unauthenticated non-sandboxed code execution. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how EFS makes connections from client to server. When the second phase of Windows updates become available in Q1 2022, customers will be notified via a revision to the security vulnerability.
CVE-2021-41333 Windows Print Spooler Elevation of Privilege vulnerability. Exploit code for this vulnerability is available and the code works in most situations where the vulnerability exists., which makes it a priority to fix, even if we haven’t seen any attacks using this in the wild.
Apple has also published security updates. The update includes fixes for the remote jail-breaks that were demonstrated at the TianfuCup in October.
Apple has issued security updates for the WebKit in Safari 15.2 and for a total of 42 vulnerabilities in iOS 15.2 and iPadOS 15.2. Included in the patches were several security vulnerabilities that allowed anyone with physical access to a device to view contacts on a locked device, and to view stored passwords without authentication.
Other vendors that issued updates to keep an eye on were:
- Google (Chrome)
- Apache, Cisco, vmWare, UniFi, and probably others as well, issued Log4j related patches.
Stay safe, everyone!