Despite Windows’ zero-day fix, the December Patch Tuesday security updates were overshadowed by attempts by administrators to fix the Log4Shell flaw.
Microsoft has released fixes for 67 new vulnerabilities, seven rated critical, with four older vulnerabilities re-released for a total of 71 CVEs for the December Patch Tuesday. But a Java-based bug that affects many applications and server systems has eclipsed the release of Microsoft’s monthly security updates.
On December 9, the Apache Software Foundation fixed a remote code execution vulnerability (CVE-2021-44228) in its popular Apache Log4j logging tool used by developers of Java applications. Dubbed Log4Shell, the vulnerability affects a variety of enterprise technologies, such as microservices and back-end systems. Despite the availability of a fix, administrators do not have an easy way to fix it in their infrastructure.
“This vulnerability is in a development library. It’s part of an application, so you can’t just fix that individual component, ”said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. “Each of the vendors who use it must solve the problem in their own products. And that’s not easy to do.”
With a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 for the highest possible severity level, the pressure is on administrators to discover this vulnerability, which can be ubiquitous in organizations that heavily use open source software. on their servers. or even SaaS applications. The stress is compounded by the difficulty of figuring out which software uses the logging tool, which runs on both Windows and Linux systems, and by the minimal effort an unauthenticated attacker needs to exploit the vulnerability. .
“It’s a very simple three-step process, and boom, you’ve just compromised a server and you can do whatever you want,” Goettl said.
The Microsoft Security Response Center posted a blog to help IT professionals with mitigation guidelines for several products, including Azure App Service, Azure Functions, and Azure Active Directory, and also provided workarounds for other affected technologies without security update for the CVE.
As many Java applications can take advantage of Log4j 2, companies should contact application vendors or ensure their Java applications are running the latest version. Developers using Log4j 2 should ensure that they integrate the latest version of Log4j in their apps as soon as possible to protect users and organizations, ”the blog said.
December Patch Tuesday security fixes for Windows in the day zero headlines
Microsoft fixed Windows AppX Installer Day Zero (CVE-2021-43890) to prevent attacks based on the BazaLoader / Emotet / Trickbot family of malware. This flaw, deemed important, was one of six publicly disclosed vulnerabilities.
Because this vulnerability requires user interaction, a malicious actor would have to convince the recipient to open a specially crafted package, such as an email attachment, to trigger the exploit. Administrators may want to take Microsoft’s guidance further and increase security on user machines through a GPO that blocks user installations or only allows trusted apps to install. Goettl recommends these steps because updates from the Microsoft Store can be problematic.
“Microsoft Store apps are supposed to update on their own, but it doesn’t always work consistently. Plus, detecting the update can be a challenge because there is no consolidated way to visually see all of the store’s apps are up to date, ”he said.
Windows Installer vulnerability is revealed by researcher
Microsoft released a security update on the November Patch Tuesday to address a Windows Installer elevation of privilege vulnerability (CVE-2021-41379) that is considered important for Windows desktop and server systems. But a security researcher said the patch did not completely address the flaw, and while further investigating the patch, he discovered a variant of the Windows Installer bug.
Abdelhamid Naceri has released proof of concept code called InstallerFileTakeOver which takes advantage of a flaw in all Windows systems, including the latest Windows 11 operating systems and Windows Server 2022, which bypasses Group Policy settings to prevent standard users to access the administrative installation function. The December Patch Tuesday resolves an elevation of privilege vulnerability in Windows Installer (CVE-2021-43883) that appears to be the Naceri variant, although it is not credited in the CVE notes. Microsoft recognized Naceri this month for its work in developing security updates for a Windows Remote Access Elevation of Privilege Vulnerability (CVE-2021-43238) and an Elevation of Privilege Vulnerability Windows installation (CVE-2021-43237).
Other Important Security Updates from the December Patch Tuesday
A remote code execution vulnerability in Microsoft Office application (CVE-2021-43905) classified as critical has a CVSS score of 9.6. Microsoft’s CVE FAQ stated that the preview pane is not an attack vector – user interaction is required – and the Microsoft Store should issue the fix automatically.
A remote code execution vulnerability in the Windows Visual Studio Code Subsystem for the Linux Extension (CVE-2021-43907) classified as critical has a CVSS score of 9.8. Administrators must deploy version 0.63.11 of the Remote-WSL extension to prevent an exploit.
An Internet Storage Name Service (iSNS) server remote code execution / memory corruption vulnerability (CVE-2021-43215) classified as critical with a CVSS score of 9.8 affects supported Windows systems except of Windows 11 and Windows Server 2022. The threat actor on the network can send a specially crafted request to the iSNS server, which is typically used to help iSCSI devices on a SAN to find each other.