Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
55 Patches, 6 Zero Days - Is There a Backlog at Microsoft?
Flaws Are Actively Being Exploited in the Wild; Mac Office Users Left WaitingMicrosoft's November Patch Tuesday security update covers 55 security fixes, six of which are zero-day vulnerabilities, with two flaws actively exploited in the wild.
See Also: Accelerating defense missions with a global data mesh
In addition to six critical vulnerabilities, there are others that deal with security feature bypass, remote code execution, information disclosure, denial-of-service and spoofing - all serious concerns that need immediate patching - but is the overall figure below what would normally be expected?
According to Zero Day Initiative's Dustin Childs, 55 patches in November is a relatively low number.
Childs notes: "Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors."
Affected Products
The immediate concern is: Which products are affected by the flaws being patched? Some of them include Microsoft Azure, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Windows Kernel, Windows Defender, Microsoft Office and Office Components and Windows Hyper-V.
“It’s important to get these patches applied as soon as possible. With 15 issues being remote code execution bugs, three denial-of-service issues, and one affecting the RDP client, they are the type of vulnerabilities an attacker will use to get into your IT network and move around within it," says Gary Robinson, CSO at Uleska, an application security platform.
Robinson states that the average "CVSS score across all 55 bugs is a 7.02 (out of 10), which means all of them are either critical or important issues, which mostly affect Windows Server, including the latest releases.”
Actively Exploited Vulnerabilities
One of the key vulnerabilities patched is Microsoft Exchange Server Remote Code Execution (CVE-2021-42321), which is rated as important by Microsoft because the attacker must be authenticated to be able to exploit the vulnerability.
"This is a good example of the limits of vendor severity and CVSS scoring and how more information is required to fully understand what to prioritize. Exchange updates often need to be tested more by exchange admins, but an exploit in the wild puts a tighter time frame on admins to get this vulnerability resolved," says Chris Goettl, vice president of product management at Ivanti.
The CVE-2021-42321 vulnerability has a CVSS score of 8.8, and Microsoft has confirmed that it is being exploited in the wild.
"At first glance, CVE-2021-42321 sounds pretty scary, as we have already seen several Exchange Server vulnerabilities this year that were quickly adopted by attackers for exploitation. While the release does not detail what level of authentication is required, this vulnerability is marked as being actively exploited in the wild - so it should definitely be high on your list to patch," says Kev Breen, director of cyberthreat research, at Immersive Labs.
CVE-2021-42292 is also being actively exploited in the wild. This Microsoft Excel security feature bypass vulnerability has a CVSS score of 7.8, which puts it in the high-severity rating category. Breen says Microsoft does not offer any suggestion on what effect this vulnerability can have, "making it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch."
Zero Day Initiative’s Childs says the patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel, which is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature.
"It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users," Childs note. "They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as proof of concept."
Vulnerabilities Involving Authentication
One of the key vulnerabilities patched is Microsoft Exchange Server Remote Code Execution (CVE-2021-42321), which is rated as important by Microsoft because the attacker must be authenticated to be able to exploit the vulnerability.
"This is a good example of the limits of vendor severity and CVSS scoring and how more information is required to fully understand what to prioritize. Exchange updates often need to be tested more by exchange admins, but an exploit in the wild puts a tighter time frame on admins to get this vulnerability resolved," says Ivanti's Goettl.
According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, system administrators should pay special attention to CVE-2021-42287 which applies changes to Active Directory.
"If this patch is not installed, a subsequent patch to be released in July 2022 will break domain controllers that have not installed CVE-2021-42287. This could lead to authentication outages for organizations that do not have a comprehensive patching strategy to ensure that all systems stay up to date," Clements notes.
Vulnerabilities in Remote Desktop Protocol
The other key patches resolved by Microsoft include a pair of information disclosure vulnerabilities in Remote Desktop Protocol (CVE-2021-38631 and CVE-2021-41371) that could allow an RDP server administrator to read Windows RDP client passwords.
"These two CVEs have been publicly disclosed, but no exploits have currently been observed. The vulnerabilities are only rated as important, and the fact that the attacker would need to be an RDP admin to exploit the information disclosures would make them seem lower priority. But there could be ways for an insider threat to gain access to users' credentials they should not have," Goettl notes.
Microsoft also resolved a pair of remote code execution vulnerabilities in 3D Viewer (CVE-2021-43209 and CVE-2021-43208) that have been publicly disclosed.
Goettl says 3D Viewer is a Microsoft Store app and should automatically update itself.
"You can verify the package using PowerShell to be sure the update has been applied. The 3D Viewer app was installed by default on fresh Windows installs, but Microsoft announced that fresh installs using Windows 10 build 21332 or later would no longer install Paint 3D or 3D Viewer by default," Goettl says.
CVE-2021-38666 is the remote desktop client remote code execution vulnerability that has a CVSS score of 8.8. Breen says Microsoft’s description for this vulnerability is not clear, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.
"To exploit it, an attacker would have to create their own server and convince a user to connect to the attacker. There are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system. In addition to patching this vulnerability, adding detections for RDP files being shared in emails or downloads would also be a sensible step," Breen says.