At first glance, I thought this Patch Tuesday was going to be a light one – until I started digging into the technical details and uncovered (with some difficulty) a number of ‘exploitation detected’ vulnerabilities. This tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches. Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest.
CVE-2021-33742 – Windows Remote MSHTML Platform Remote Code Execution is one such vulnerability, which exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites. As such, visiting a website in a vulnerable browser is a simple way for attackers to deliver this exploit. As the library is used by other services and applications, emailing HTML files as part of a phishing campaign is also a viable method of delivery.
The other vuln listed as ‘exploitation detected’ is CVE-2021-33739 - Microsoft DWM Core Library Elevation of Privilege Vulnerability. Privilege escalation vulnerabilities are just as valuable to attackers as RCEs, as once they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access. This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.
We’re being spoiled this month with two more ‘exploitation detected’ vulns: CVE-2021-31201 and CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. These privilege escalation vulnerabilities are linked to CVE-2021-28550 in Adobe. Attackers have been targeting Adobe Reader users on Windows, likely in the form of PDF files delivered to targets either as attachments or downloaded directly from websites. Remember that the PDF format can be used to run other applications, so it’s likely that this collection of CVEs is being used as the initial infection point via targeted phishing attacks.
Of the vulnerabilities that are not known to be currently exploited in the wild, one that caught my eye was CVE-2021-31959 – Scripting Engine Memory Corruption Vulnerability. This one is going to be attractive to attackers, and will be very similar to CVE-2021-33742 in the way that it can be distributed as an email attachment or file share, or via a website in the attacker’s control for web drive-by or watering hole attacks. It affects all versions of Windows servers and desktops alike, and is typically used as a dropper – an initial infection vector – to deliver the final malware payloads.
Any vulnerabilities in Defender, like CVE-2021-31985 – Microsoft Defender Remote Code Execution Vulnerability, should be considered extremely important to update. By its nature, this tool has elevated permissions to ensure it can access, scan, and monitor every process for signs of infection. And it is designed to look at every file so an attacker sending files to a victim would expect Defender to run against that file.
We don't know the exact vector, but this vulnerability could be triggered by something as simple as sending a file. It is listed as remote code execution, but could also be used to gain privilege escalation on the target system depending on how it’s affected.
This runs on all operating systems so the reach is wide. Fortunately, Defender is designed to be automatically updated out of band, so if you have not disabled this default behavior, you should be automatically patched.
Final thoughts
‘Exploitation detected’ was apparently the flavor of the month with six vulnerabilities tagged in this way. As I mentioned in my introduction, it’s surprisingly difficult to find which vulnerabilities are listed as ‘exploitation detected’ without sifting through the technical details on every one of them. Microsoft doesn't make it easy, which is puzzling considering these should absolutely be your priority when patching your systems, even if they score a lower CVSS than others.
As such, I went digging and found that there’s an API to query Patch Tuesday releases. With a simple Python script, I uncovered some interesting stats and listed out the vulnerabilities I care about the most. This script is now available in the ImmersiveLabsSecurity Github repo.
Don’t forget to tune in next month for more #PatchNewsday!
Kev Breen,
Director of Cyber Threat Research,
Immersive Labs
@kevthehermit