On another comparatively light Patch Tuesday, Microsoft has issued fixes for a total of 55 newly uncovered common vulnerabilities and exposures (CVEs), six of them rated as critical, and two that are already being publicly exploited.
The two CVEs in question are CVE-2021-42292, a security feature bypass vulnerability in Microsoft Excel, and CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange Server. Both are rated important, with CVSS scores of 7.8 and 8.8, respectively.
“CVE-2021-42321 should be of primary concern,” said Recorded Future senior security architect Allan Liska. “This vulnerability is one that is being actively exploited in the wild. Exchange vulnerabilities have been of particular concern this year.
“Both Chinese nation state actors and the cyber criminals behind the DearCry ransomware (also believed to be operating out of China) exploited earlier vulnerabilities in Microsoft Exchange (CVE-2021-26855 and CVE-2021-27065). While Microsoft only rates the vulnerability as ‘Important’ because an attacker has to be authenticated to exploit it, Recorded Future has noted that gaining legitimate credential access to Windows systems has become trivial for both nation state and cyber criminal actors. This should be prioritised for patching.
“The other vulnerability that is being exploited in the wild is CVE-2021-42292. This is a security feature bypass vulnerability for Microsoft Excel for both Windows and MacOS computers. This vulnerability affects versions 2013-2021.”
Liska added: “Microsoft is not clear in its description which security feature is bypassed by the vulnerability. However, again, the fact that it is being exploited in the wild is concerning and means it should be prioritised for patching. Microsoft Excel is a frequent target of both nation state attackers and cyber criminals.”
The six critical vulnerabilities are listed as: CVE-2021-3711, which is a decryption buffer overflow flaw in OpenSSL; CVE-2021-26443, another RCE vulnerability in Microsoft Virtual Machine Bus; CVE-2021-38666, an RCE vulnerability in Remote Desktop Client; CVE-2021-42270, a memory corruption vulnerability in the Chakra scripting engine; CVE-2021-42298, an RCE vulnerability in Microsoft Defender; and CVE-2021-42316, yet another RCE vulnerability in Microsoft Dynamics 365.
None of the above-listed bugs are currently being exploited in the wild at the time of writing, although this may well change in short order, and many in the security community are already raising concerns, among them Danny Kim, principal architect at Virsec, who said the Microsoft Defender vulnerability was particularly worrying.
“With the exploitability assessment of ‘Exploitation more likely’ and the severity score and the repeatability of this attack, I think this CVE should be top of mind for all enterprises,” Kim told Computer Weekly in emailed comments.
“Windows Defender runs on all supported versions of Windows. This vulnerability significantly increases the potential attack surface for today’s organisations due to the popularity of Windows Defender. This CVE does require some user interaction, however we have seen in the past how attackers can use social engineering/phishing emails to achieve such interaction fairly easily.”
Jay Goodman of Automox flagged both the vulnerabilities in the Chakra scripting engine and Microsoft Dynamics 365 as noteworthy.
“The Chakra scripting engine is widely used in Microsoft Edge and RCE vulnerabilities are particularly sensitive given that they enable attackers to directly run malicious code on the exploited systems,” he said. “It is highly recommended that IT administrators remediate this vulnerability within 72 hours to minimise exposure to threat actors.
“Microsoft Dynamics 365 is a resource planning and CRM tool from Microsoft and this vulnerability is present in the 9.0 and 9.1 versions of their on-premise option. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to directly run malicious code on the exploited systems.”
Goodman added: “It is highly recommended that IT administrators remediate this vulnerability within 72 hours to minimise exposure to threat actors, especially in a tool with access to sensitive customer and business data like a CRM solution.”
Meanwhile, another lighter-than-usual Patch Tuesday has raised eyebrows at Trend Micro’s Zero Day Initiative, where communications lead Dustin Childs suggested that the downward trend might be a cause for concern.
“Historically speaking, 55 patches in November is a relatively low number,” he wrote. “Last year, there were more than double this number of CVEs fixed. Even going back to 2018, when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month.
“Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.”