It’s a slightly delayed Patch Newsday this month, but for good reason! As this is the very last Patch Newsday of 2021, and I’m feeling particularly generous, I wanted to give you an extra treat by offering an overview of the Patch Tuesday trends we saw this year – and what we can do to protect ourselves in 2022.
First of all, let’s start with a rundown of the December 2021 Patch Tuesday.
Log4j was definitely a distraction for most security teams this month – but that doesn’t stop the world from turning, and there were enough interesting vulnerabilities in Patch Tuesday to merit your full attention.
As always, you know your risks and your estate, so you should make patching and update decisions accordingly. Take a breath, look at the release from Microsoft, and prioritize or deprioritize accordingly.
CVE-2021-43890 is a spoofing vulnerability in Windows AppX Installer, observed and reported in December. It allows an attacker to create a malicious package file and then modify it to look like a legitimate application, and has been used to deliver Emotet malware, which made a comeback this year. The patch should mean that packages can no longer be spoofed to appear as valid, but it will not stop attackers from sending links or attachments to these files.
CVE-2021-43905, a Remote Code Execution vulnerability in the Microsoft Office app, definitely stands out to me, not only for its high CVSS score of 9.6, but also because it’s noted as “exploitation more likely”.
Very little is given away in the advisory to identify what the immediate risk is – it simply states the affected product as “Office App”. This can make it difficult for security teams to prioritize or put mitigations in place if quick patching is not available – especially when security teams are already tied down with other critical patching.
CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer, is another highly rated vulnerability by Microsoft. This one affects both server and desktop versions of Windows and allows a local user to escalate their privileges.
This kind of vulnerability is highly sought after by attackers looking to move laterally across a network. After gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz. Almost all ransomware attacks in the last year employed some form of privilege escalation as a key component of the attack prior to launching ransomware.
Next up is a CVE-2021-43233, a remote code execution vulnerability in Remote Desktop Client. This one is flagged as “exploitation more likely” in the advisory notes, and would likely require a social engineering or phishing component to be successful.
A similar vulnerability, CVE-2021-38666, was reported and patched in November. While it was also marked as “exploitation more likely”, thankfully there have been no reports of proof of concept code or of it being exploited in the wild, which goes to show how important it is to make your own risk-based approach to prioritizing patches.
Coming in at a whopping 9.8 on the CVSS score is CVE-2021-43215, an iSNS Server Memory Corruption vulnerability that can lead to Remote Code Execution. This one is critical to patch quickly if you operate iSNS services – but remember that this is not a default component, so check this before you bump it up the list.
iSNS is a Client-Server protocol that allows clients to query an iSNS database. To exploit this vulnerability, an attacker only needs to be able to send a specially crafted request to the target server to gain code execution.
As this protocol is used to facilitate data storage over the network, it would be a high-priority target for attackers looking to damage an organization’s ability to recover from attacks like ransomware. These services are also typically trusted from a network perspective – which is another reason attackers would choose this kind of target.
And finally onto CVE-2021-41333, an elevation of privilege vulnerability in Print Spooler. Print Spooler really feels like the gift that keeps on giving this year!
This component of the Windows ecosystem has seen significant focus by researchers over the last year based on the steady flow of responsible disclosure and regular updates. We also know that attackers are quick to leverage these vulnerabilities once they become known, and some of these have gone on to be exploited in the wild by attackers.
Microsoft has this listed as “exploitation more likely”, and as it can be found on all versions of Windows from server to desktop, it’s a good one to push up the priority list. If you’re not able to patch this one quickly, and you don’t need the ability to print, there is guidance in previous releases on applying mitigations to disable the component.
With the very last Patch Tuesday of 2021 all wrapped up, we wanted to take a step back and take a look at some of the trends and themes we’ve seen appear over the last 12 months. Using our open-source patch_review tool, we can quickly grab some basic stats on all the publicly disclosed patches Microsoft has released over the months and years.
Note: When calculating and talking about these stats, I am not including the Chromium / Edge updates that get pulled in. I am just looking at Microsoft’s own patches. And when we say Zero Day, we mean at the time of publishing the advisory a vulnerability was already being exploited in the wild. We know some of these vulnerabilities went on to be exploited in the wild post-patching.
We finish off 2021 with a total of 867 patched vulnerabilities, down from the 1260 total that was observed in 2020 but very close to the number we saw in 2019 (866).
While 2020 was definitely a busier year for vulnerabilities, this year saw an increase in those being actively exploited in the wild prior to official patches being released. March and June were especially busy for this zero-day activity.
A large contributor to the spike in March was the collection of Exchange server vulnerabilities leveraged by a nation-state actor known as Hafnium. Once the news went live, it was quickly weaponized by other threat groups looking to leverage the gap in organizations’ defenses before the patches – which had just been released – were put in place.
2021 also sees a return of Remote Code Execution (RCE) being the overall highest reported vulnerability type, accounting for around 38% of all reported vulnerabilities. Elevation of Privilege was more de rigueur in 2020, with 44% of all vulnerabilities falling under this category, whereas last year RCE only accounted for 27%.
So what does all of that mean?
Software vulnerabilities in Microsoft products are not going away any time soon. Despite the best efforts of responsible disclosure and frequent patch releases, software will always have bugs and attackers will always seek to capitalize on them.
We are seeing an upward trend in how quickly attackers are getting their hands on exploits for new vulnerabilities – and this is not limited to Microsoft products. Chrome, Adobe, and Apple all have similar trends.
So what is our advice when it comes to patching?
- Understand your estate, the services, software and tools that you operate.
- Understand your business risk – this will be key to making decisions later down the road.
- When advisories and patches are released, assemble a change advisory board that has input from Development Teams, Security Teams and Operational teams.
- Review all the advisories and prioritize them based on your knowledge of your estate and the risks. If you turn off a component to apply a critical patch, how will that impact your customers? What is the risk of not doing it?
- Listen to threat reports, but balance them in the heat of the moment.
- Ensure you have a plan for mitigations. If you are unable to patch, then increase monitoring and logging around vital components or likely exploit paths.
- Have an incident response plan in place that encompasses all of your teams, not just your technical teams. Legal, Marketing, and Compliance will all need to have input at some point and context is important, so don’t leave them till the end.
- Practice your plan! No one can say they are impervious to compromise; even the best in the industry have had a breach at some point. Knowing with confidence what to do and when to do it can be the tipping point.
And with that, we’ll see you in the new year for the first Patch Tuesday for 2022. Will it be a big one to set us up for the year – or are you hoping to be eased into 2022 gently?
17 December 2021
Director of Cyber Threat Research, Immersive Labs
Latest Blog posts