This month’s Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228.
In today’s security release, Microsoft issued fixes for 83
vulnerabilities across an array of products — including a fix for
Windows Defender for IoT, which is vulnerable to CVE-2021-44228
amongst seven other remote code execution (RCE) vulnerabilities (the
cloud service is not affected). Six CVEs in the bulletin have been
publicly disclosed; the only vulnerability noted as being exploited in
the wild in this month’s release is CVE-2021-43890,
a Windows AppX Installer spoofing bug that may aid in social
engineering attacks and has evidently been used in Emotet malware
campaigns.
Interestingly, this round of fixes also includes CVE-2021-43883,
a Windows Installer privilege escalation bug whose advisory is sparse
despite the fact that it appears to affect all supported versions of
Windows. While there’s no indication in the advisory that the two
vulnerabilities are related, CVE-2021-43883 looks an awful lot like the
fix for a zero-day vulnerability
that made a splash in the security community last month after
proof-of-concept exploit code was released and in-the-wild attacks
began. The zero-day vulnerability, which researchers hypothesized was a
patch bypass for CVE-2021-41379, allowed low-privileged attackers to
overwrite protected files and escalate to SYSTEM. Rapid7’s vulnerability
research team did a full root cause analysis of the bug as attacks ramped up in November.
As usual, RCE flaws figure prominently in the “Critical”-rated CVEs
this month. In addition to Windows Defender for IoT, critical RCE bugs
were fixed this month in Microsoft Office, Microsoft Devices, Internet
Storage Name Service (iSNS), and the WSL extension for Visual Studio
Code. Given the outsized risk presented by most vulnerable
implementations of Log4Shell, administrators should prioritize patches
for any products affected by CVE-2021-44228. Past that, put critical
server-side and OS RCE patches at the top of your list, and we’d advise
sneaking in the fix for CVE-2021-43883 despite its lower severity
rating.
Summary charts
Summary tables
Apps Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43890 | Windows AppX Installer Spoofing Vulnerability | Yes | Yes | 7.1 | Yes |
| CVE-2021-43905 | Microsoft Office app Remote Code Execution Vulnerability | No | No | 9.6 | Yes |
Browser Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-4068 | Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page | No | No | N/A | Yes |
| CVE-2021-4067 | Chromium: CVE-2021-4067 Use after free in window manager | No | No | N/A | Yes |
| CVE-2021-4066 | Chromium: CVE-2021-4066 Integer underflow in ANGLE | No | No | N/A | Yes |
| CVE-2021-4065 | Chromium: CVE-2021-4065 Use after free in autofill | No | No | N/A | Yes |
| CVE-2021-4064 | Chromium: CVE-2021-4064 Use after free in screen capture | No | No | N/A | Yes |
| CVE-2021-4063 | Chromium: CVE-2021-4063 Use after free in developer tools | No | No | N/A | Yes |
| CVE-2021-4062 | Chromium: CVE-2021-4062 Heap buffer overflow in BFCache | No | No | N/A | Yes |
| CVE-2021-4061 | Chromium: CVE-2021-4061 Type Confusion in V8 | No | No | N/A | Yes |
| CVE-2021-4059 | Chromium: CVE-2021-4059 Insufficient data validation in loader | No | No | N/A | Yes |
| CVE-2021-4058 | Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE | No | No | N/A | Yes |
| CVE-2021-4057 | Chromium: CVE-2021-4057 Use after free in file API | No | No | N/A | Yes |
| CVE-2021-4056 | Chromium: CVE-2021-4056: Type Confusion in loader | No | No | N/A | Yes |
| CVE-2021-4055 | Chromium: CVE-2021-4055 Heap buffer overflow in extensions | No | No | N/A | Yes |
| CVE-2021-4054 | Chromium: CVE-2021-4054 Incorrect security UI in autofill | No | No | N/A | Yes |
| CVE-2021-4053 | Chromium: CVE-2021-4053 Use after free in UI | No | No | N/A | Yes |
| CVE-2021-4052 | Chromium: CVE-2021-4052 Use after free in web apps | No | No | N/A | Yes |
Developer Tools Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43907 | Visual Studio Code WSL Extension Remote Code Execution Vulnerability | No | No | 9.8 | No |
| CVE-2021-43908 | Visual Studio Code Spoofing Vulnerability | No | No | nan | No |
| CVE-2021-43891 | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-43896 | Microsoft PowerShell Spoofing Vulnerability | No | No | 5.5 | No |
| CVE-2021-43892 | Microsoft BizTalk ESB Toolkit Spoofing Vulnerability | No | No | 7.4 | No |
| CVE-2021-43225 | Bot Framework SDK Remote Code Execution Vulnerability | No | No | 7.5 | No |
| CVE-2021-43877 | ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No |
Device Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43899 | Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
Microsoft Office Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-42295 | Visual Basic for Applications Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-42320 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes |
| CVE-2021-43242 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No |
| CVE-2021-42309 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-42294 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2021-43255 | Microsoft Office Trust Center Spoofing Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-43875 | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-42293 | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2021-43256 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
System Center Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43882 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 9 | Yes |
| CVE-2021-42311 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-42313 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-42314 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-42315 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-41365 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-42310 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2021-43889 | Microsoft Defender for IoT Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2021-43888 | Microsoft Defender for IoT Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2021-42312 | Microsoft Defender for IOT Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
Windows Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43247 | Windows TCP/IP Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43237 | Windows Setup Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43239 | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.1 | No |
| CVE-2021-43231 | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43880 | Windows Mobile Device Management Elevation of Privilege Vulnerability | No | Yes | 5.5 | Yes |
| CVE-2021-43244 | Windows Kernel Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2021-43246 | Windows Hyper-V Denial of Service Vulnerability | No | No | 5.6 | No |
| CVE-2021-43232 | Windows Event Tracing Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-43248 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43214 | Web Media Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-43243 | VP9 Video Extensions Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-43228 | SymCrypt Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE-2021-43227 | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-43235 | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-43240 | NTFS Set Short Name Elevation of Privilege Vulnerability | No | Yes | 7.8 | No |
| CVE-2021-40452 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-40453 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-41360 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-43219 | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 7.4 | No |
Windows ESU Vulnerabilities
| CVE | Vulnerability Title | Exploited | Publicly Disclosed? | CVSSv3 | Has FAQ? |
|---|
| CVE-2021-43215 | iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution | No | No | 9.8 | Yes |
| CVE-2021-43238 | Windows Remote Access Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43223 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-41333 | Windows Print Spooler Elevation of Privilege Vulnerability | No | Yes | 7.8 | No |
| CVE-2021-43229 | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43230 | Windows NTFS Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-40441 | Windows Media Center Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43883 | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No |
| CVE-2021-43234 | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-43217 | Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2021-43893 | Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability | No | Yes | 7.5 | No |
| CVE-2021-43245 | Windows Digital TV Tuner Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43224 | Windows Common Log File System Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-43226 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43207 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-43233 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 7.5 | No |
| CVE-2021-43222 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2021-43236 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 | Yes |
| CVE-2021-43216 | Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability | No | No | 6.5 | Yes |
