On another relatively light Patch Tuesday, Microsoft released fixes for a total of 55 newly discovered vulnerabilities and common exposures (CVEs), six of which are classified as critical and two that are already publicly exploited.
The two CVEs in question are CVE-2021-42292, a security feature bypass vulnerability in Microsoft Excel, and CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange Server. Both are considered important, with CVSS scores of 7.8 and 8.8, respectively.
“CVE-2021-42321 should be the primary concern,” said Allan Liska, Senior Security Architect at Recorded Future. “This vulnerability is an actively exploited vulnerability in nature. Exchange vulnerabilities have been of particular concern this year.
“Chinese nation-state actors and cybercriminals behind the DearCry ransomware (also believed to be operating from China) exploited earlier vulnerabilities in Microsoft Exchange (CVE-2021-26855 and CVE-2021-27065). While Microsoft considers the vulnerability “Important” only because an attacker must be authenticated to exploit it, Recorded Future noted that gaining legitimate access to Windows systems has become trivial for nation states and cybercriminals. This should be a priority for the patch.
“The other vulnerability that is exploited in the wild is CVE-2021-42292. This is a security feature bypass vulnerability for Microsoft Excel for Windows and MacOS computers. This vulnerability affects versions 2013-2021.
Liska added, “Microsoft does not clearly state in its description which security feature is bypassed by the vulnerability. However, again, the fact that it is being mined in the wild is cause for concern and means it should be a priority for patches. Microsoft Excel is a frequent target of both nation state attackers and cybercriminals. “
The six critical vulnerabilities are listed as: CVE-2021-3711, which is a decryption buffer overflow vulnerability in OpenSSL; CVE-2021-26443, another RCE vulnerability in Microsoft Virtual Machine Bus; CVE-2021-38666, an RCE vulnerability in Remote Desktop Client; CVE-2021-42270, a memory corruption vulnerability in the Chakra scripting engine; CVE-2021-42298, an RCE vulnerability in Microsoft Defender; and CVE-2021-42316, yet another RCE vulnerability in Microsoft Dynamics 365.
None of the bugs listed above are currently being exploited in the wild at the time of writing, although that may well change in the short term, and many in the security community are already expressing concerns. , including Danny Kim, senior architect at Virsec, who said the Microsoft Defender vulnerability was of particular concern.
“With the exploitability rating of ‘Most Likely to Exploit’ and the severity score and repeatability of this attack, I think this CVE should be a priority for all businesses,” Kim told Computer Weekly in comments by email.
“Windows Defender works on all supported versions of Windows. This vulnerability dramatically increases the potential attack surface for organizations today due to the popularity of Windows Defender. This CVE requires some user interaction, but we have seen in the past how attackers can use social engineering / phishing emails to achieve such interaction quite easily.
Jay Goodman of Automox reported both the Chakra scripting engine and Microsoft Dynamics 365 vulnerabilities as noteworthy.
“The Chakra scripting engine is widely used in Microsoft Edge, and RCE vulnerabilities are particularly sensitive because they allow attackers to directly execute malicious code on exploited systems,” he said. “IT administrators are strongly recommended to remediate this vulnerability within 72 hours to minimize exposure to threats.
“Microsoft Dynamics 365 is a CRM and resource planning tool from Microsoft and this vulnerability is present in versions 9.0 and 9.1 of their on-premises option. Remote code execution vulnerabilities are particularly sensitive because they allow attackers to directly execute malicious code on exploited systems.
Goodman added, “IT administrators are strongly recommended to remediate this vulnerability within 72 hours to minimize exposure to threat actors, especially in a tool with access to sensitive customer and company data like a CRM solution.
Meanwhile, another lighter-than-usual Patch Tuesday raised Trend Micro’s Zero Day initiative, where communications manager Dustin Childs suggested the downtrend could be a cause for concern.
“Historically speaking, 55 patches in November is a relatively low number,” he wrote. “Last year there were more than double that number of corrected VECs. Even going back to 2018, when there were only 691 corrected CVEs throughout the year, there were more November CVEs corrected than this month.
“Since December is generally a slower month in terms of fixes, one wonders if there is a backlog of fixes waiting to be deployed due to various factors. It seems strange that Microsoft is releasing fewer fixes after seeing nothing but increases in the industry for years.