December’s Patch Tuesday

December’s Patch Tuesday included patches for 84 vulnerabilities. The obvious center of attention among vulnerability and patch experts has been the huge global news on Apache Log4j2.

Products, components, and roles with vulnerabilities

  • Apache Log4j2
  • Apps
  • NET Core & Visual Studio
  • Azure Bot Framework SDK
  • BizTalk ESB Toolkit
  • Internet Storage Name Service
  • Microsoft Defender for IoT
  • Microsoft Devices
  • Microsoft Edge (Chromium-based)
  • Microsoft Local Security Authority Server (lsasrv)
  • Microsoft Message Queuing
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft PowerShell
  • Microsoft Windows Codecs Library
  • Office Developer Platform
  • Remote Desktop Client
  • Role: Windows Fax Service
  • Role: Windows Hyper-V
  • Visual Studio Code
  • Visual Studio Code – WSL Extension
  • Windows Common Log File System Driver
  • Windows Digital TV Tuner
  • Windows DirectX
  • Windows Encrypting File System (EFS)
  • Windows Event Tracing
  • Windows Installer
  • Windows Kernel
  • Windows Media
  • Windows Mobile Device Management
  • Windows NTFS
  • Windows Print Spooler Components
  • Windows Remote Access Connection Manager
  • Windows Storage
  • Windows Storage Spaces Controller
  • Windows SymCrypt
  • Windows TCP/IP
  • Windows Update Stack

Microsoft released the patch for one zero-day vulnerability. In addition, six vulnerabilities were publicly disclosed.

 

Key points

CVE-2021-44228, also known as Apache Log4j vulnerability, has been the hot topic of last couple of days. At the moment the consensus seems to be the that the only Microsoft product affected is Minecraft: Java Edition. This does not mean your organization is protected, even though the vulnerability couldn’t be directly exploited on your devices. Now is an excellent moment to comb through all the services, devices, servers, IoT devices, and anything else that comes to mind. You can find a long list of affected products on GitHub:

You should also follow National Cyber Security Centre’s guidance on the subject.

 

Vulnerabilities in Microsoft products

Let’s start with the publicly disclosed vulnerabilities: CVE-2021-43907CVE-2021-43883CVE-2021-43240CVE-2021-43893CVE-2021-43890 and CVE-2021-43880. From the listed vulnerabilities, CVE-2021-43890 is also a zero-day vulnerability.

Prioritize these patches if possible:

  • CVE-2021-43907 (CVSS 9.8) is a vulnerability for the Visual Studio Code WSL Extension. So, remember to update the extension: https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-wsl.
  • CVE-2021-43890 (CVSS 7.1) is a publicly disclosed zero-day vulnerability related to Microsoft Desktop Installer and the APPX applications. If you are using the product, it’s a good idea to update it: Microsoft Desktop Installer 1.16(Windows 10 newer than 1803) and Microsoft Desktop Installer 1.11 (when using Windows 10 1709 or 1803). If updates can’t be done, you can mitigate the vulnerability by blocking or limiting application installation in device environments. Good tools for this are for instance Group Policy, Applocker, and Windows Defender Application Control.
  • CVE-2021-43883 (CVSS 7.8) is a vulnerability targeting Windows operating systems. The vulnerability’s type is elevation of privileges.
  • CVE-2021-43240 (CVSS 7.8) is a vulnerability targeting Windows operating systems. The vulnerability’s type is elevation of privileges.
  • CVE-2021-43893 (CVSS 7.5) is a vulnerability targeting Windows operating systems. The vulnerability’s type is elevation of privileges.
  • CVE-2021-43880 (CVSS 5.5) is a vulnerability targeting Windows 11 operating systems. The vulnerability’s type is elevation of privileges. More precisely, the vulnerability targets the Windows Mobile Device Management component. Thanks to the vulnerability, the intruder can delete files from a vulnerable device.

 

Active and known issues in Windows operating systems

Operating System Active known issues (previous month)
Windows 11, version 21H2 0 (1)
Windows 10, version 21H1 and Windows Server, version 21H1 2 (4)
Windows 10, version 20H2 and Windows Server, version 20H2 2 (4)
Windows 10, version 2004 and Windows Server, version 2004 2 (4)
Windows 10, versions 1909** and 1903** and Windows Server, version 1903** 0 (1) Support has partially ended for Windows 10 versions 1903 and 1909.
Windows 10, version 1809** and Windows Server 2019 3 (3) Support has ended for Windows 10 version 1803.
Windows 10, version 1803** Support has ended.
Windows 10, version 1709*** and Windows Server, version 1709 Support has ended.
Windows 10, version 1703*** Support has ended.
Windows 10, version 1607 LTSC*** and Windows Server 20162 1 (1)
Windows 8.1**** and Windows Server 2012 R2 1 (2)
Windows Server 2012 1
Windows 7**** and Windows Server 2008 R2 SP1 2
  • * 1909 has the same operating system core and identical system files as its predecessor, 1903.
  • ** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise.
  • *** The support for Windows 10’s build in question has ended for all versions.
  • **** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.

 

Recommended actions

The critical, zero-day, and publicly disclosed vulnerabilities mentioned in the beginning should be patched as soon as possible. However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.

Organizations should make sure their devices have one of the three most recent Windows 10 property versions (21H1, 20H2, or 2004), making sure the devices are still getting their monthly security patches. In the future, it’s important to also make sure the Windows 11 feature updates are among the supported updates.

 

Microsoft’s documentation on the subject

 

Microsoft maintains a list of Windows updates and their known issues on the following pages. You can find additional information on Windows-versions’ lifecycle behind the last link.

 

 

Read more on this topic:

New year, new updates

Microsoft published updates for 83 vulnerabilities for Windows OS, Browsers and Office this January. 10 out of 83 are categorized as critical. The most critical patched vulnerability is CVE-2021-1647. Exploitation of this vulnerability allows an attacker to execute malicious code and Microsoft warns that this vulnerability has already been exploited. CVE-2021-1647 is rated 7.8 on CVSS […]

There are many publicly disclosed vulnerabilities in October

76 vulnerabilities for Windows OS, Microsoft browsers and Office have been patched. Silver lining in this month seems to be the lower number of the vulnerabilities. Let’s hope that this is a positive trend which will go on in the following months as well. Nevertheless this month certainly cannot be overlooked. There are critical updates […]