This month, a flaw in the Apache Log4j library causes panic, Microsoft patches 67 new CVEs, 7 of which are rated Critical. And Adobe delivers a boat load of patches to finish off the year in style. So, let’s get started!
Let’s start this month by talking about Log4Shell (Log4j), a vulnerability in a Java logging library called Apache Log4j. A vulnerability was recently discovered that could allow remote code execution on applications and servers that use the library. An attacker could compromise a device by sending a specially crafted string to the affected server or application. The main issue with this flaw is that Log4j is widely used and could affect literally hundreds of thousands of servers and applications.
Because of the sheer number of applications and servers that might be affected, whether it be an Apache webserver or game like Minecraft, even if you are a Microsoft shop, there’s a chance that you will be impacted by this vulnerability. The bug is already being exploited in the wild, so you’ll need to check your servers and apps, find out if the vendors have shipped patches, and then update accordingly.
Trend Micro has released a useful tool that allows you to scan your environment for systems affected by the Apache Log4j vulnerability.
Microsoft released fixes for 67 CVEs in various products this month. There were also 16 CVEs patched in Microsoft Edge at the beginning of December. There are 7 critical patches and 60 are labelled Important. One of the bugs is actively being exploited. A spoofing bug in the Windows AppX Installer, it can be used to remotely run code in the context of the logged in user. It’s being actively used in the Emotet family of malware.
A remote code execution vulnerability Internet Storage Name Service (iSNS) server can be used by an attacker using a specially crafted request. The iSNS protocol is used by Windows to discover and manage iSCSI disk devices on storage networks (SAN).
A remote code execution bug in the Microsoft 4K Wireless Display Adapter gets patched this month. The attacker would have to be on the same network as the display adapter to leverage this flaw. The bug is difficult to patch because admins will need to install the Microsoft Wireless Display Adapter app from the Microsoft Store on a system connected to a physical Microsoft 4K Wireless Display Adapter. Once connected and setup, the app can be used to download the updated firmware to the adapter.
A bug in Microsoft SharePoint Server could let an attacker elevate privileges and run code in the context of the service account. For this to work, an attacker would require Manage Lists rights on a SharePoint site. If successful, an attacker could run arbitrary server-side web controls. Any user setting up a new SharePoint site gets Manage Lists rights.
A bug in the Microsoft Office app could let an attacker run code remotely on an affected system. The Microsoft Office app should be automatically updated on endpoints via the Microsoft Store, providing you haven’t disabled automatic app updates.
Here is a complete list of patched Microsoft vulnerabilities released 14th December 2021:
Table 1 – December 14th, 2021, Patch Tuesday patched vulnerabilities
Product | Impact | Severity | Article | Details |
Microsoft Edge (Chromium-based) | Release Notes | CVE-2021-4102 | ||
Microsoft Edge (Chromium-based) | Release Notes | CVE-2021-4101 | ||
Microsoft Edge (Chromium-based) | Release Notes | CVE-2021-4100 | ||
Microsoft Edge (Chromium-based) | Release Notes | CVE-2021-4099 | ||
Microsoft Edge (Chromium-based) | Release Notes | CVE-2021-4098 | ||
Microsoft BizTalk ESB Toolkit 2.3 | Spoofing | Important | 5009301 | CVE-2021-43892 |
Visual Studio Code | Spoofing | Important | Release Notes | CVE-2021-43908 |
Office app | Remote Code Execution | Critical | Release Notes | CVE-2021-43905 |
Microsoft 4K Wireless Display Adapter | Remote Code Execution | Critical | Description | CVE-2021-43899 |
PowerShell 7.2 | Spoofing | Important | Release Notes | CVE-2021-43896 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43893 |
ASP.NET Core 6.0 | Elevation of Privilege | Important | Release Notes | CVE-2021-43877 |
Visual Studio Code | Remote Code Execution | Important | Release Notes | CVE-2021-43891 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-43889 |
Microsoft Defender for IoT | Information Disclosure | Important | Release Notes | CVE-2021-43888 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43883 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-41365 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-42315 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-42314 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-42313 |
Microsoft Defender for IoT | Elevation of Privilege | Important | Release Notes | CVE-2021-42312 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-42311 |
Microsoft Defender for IoT | Remote Code Execution | Critical | Release Notes | CVE-2021-42310 |
Microsoft Defender for IoT | Remote Code Execution | Important | Release Notes | CVE-2021-43882 |
Windows 11 for ARM64-based Systems | Elevation of Privilege | Important | 5008215 | CVE-2021-43880 |
Microsoft Office LTSC 2021 for 32-bit editions | Remote Code Execution | Important | Click to Run | CVE-2021-43875 |
Microsoft Office Web Apps Server 2013 Service Pack 1 | Remote Code Execution | Important | 5002103 | CVE-2021-43256 |
Microsoft Office 2013 Service Pack 1 (64-bit editions) | Spoofing | Important | 5002101 | CVE-2021-43255 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43248 |
Windows 10 Version 21H2 for x64-based Systems | Elevation of Privilege | Important | 5008212 | CVE-2021-43247 |
Windows 10 Version 21H2 for x64-based Systems | Denial of Service | Important | 5008212 | CVE-2021-43246 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43245 |
Windows 10 Version 21H2 for x64-based Systems | Information Disclosure | Important | 5008212 | CVE-2021-43244 |
VP9 Video Extensions | Information Disclosure | Important | CVE-2021-43243 | |
Windows 10 Version 21H2 for x64-based Systems | Elevation of Privilege | Important | 5008212 | CVE-2021-43240 |
Windows 10 Version 21H2 for x64-based Systems | Elevation of Privilege | Important | 5008212 | CVE-2021-43239 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43238 |
Windows 10 Version 21H2 for x64-based Systems | Elevation of Privilege | Important | 5008212 | CVE-2021-43237 |
Windows Server 2012 R2 (Server Core installation) | Information Disclosure | Important | 5008263 | CVE-2021-43236 |
Windows Server 2016 (Server Core installation) | Information Disclosure | Important | 5008207 | CVE-2021-43235 |
Windows Server 2012 R2 (Server Core installation) | Remote Code Execution | Important | 5008263 | CVE-2021-43234 |
Windows Server 2012 R2 (Server Core installation) | Remote Code Execution | Critical | 5008263 | CVE-2021-43233 |
Windows Server 2012 R2 (Server Core installation) | Remote Code Execution | Important | 5008263 | CVE-2021-43232 |
Windows Server 2016 (Server Core installation) | Elevation of Privilege | Important | 5008207 | CVE-2021-43231 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43230 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43229 |
Windows 10 Version 21H2 for x64-based Systems | Denial of Service | Important | 5008212 | CVE-2021-43228 |
Windows Server 2016 (Server Core installation) | Information Disclosure | Important | 5008207 | CVE-2021-43227 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43226 |
Bot Framework SDK for .NET Framework | Remote Code Execution | Important | Advisory | CVE-2021-43225 |
Windows Server 2012 R2 (Server Core installation) | Information Disclosure | Important | 5008263 | CVE-2021-43224 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43223 |
Windows Server 2012 R2 (Server Core installation) | Information Disclosure | Important | 5008263 | CVE-2021-43222 |
Windows Server 2012 R2 (Server Core installation) | Remote Code Execution | Critical | 5008263 | CVE-2021-43217 |
Windows Server 2012 R2 (Server Core installation) | Information Disclosure | Important | 5008263 | CVE-2021-43216 |
Windows Server 2012 R2 (Server Core installation) | Remote Code Execution | Critical | 5008263 | CVE-2021-43215 |
Raw Image Extension | Remote Code Execution | Important | CVE-2021-43214 | |
Microsoft SharePoint Server Subscription Edition | Spoofing | Important | 5002045 | CVE-2021-42320 |
Microsoft Office 2013 Service Pack 1 (64-bit editions) | Information Disclosure | Important | 4486726 | CVE-2021-42295 |
Microsoft Office 2013 Service Pack 1 (64-bit editions) | Elevation of Privilege | Important | 5002104 | CVE-2021-42293 |
HEVC Video Extensions | Remote Code Execution | Important | CVE-2021-41360 | |
App Installer | Spoofing | Important | Release Notes | CVE-2021-43890 |
Microsoft SharePoint Foundation 2013 Service Pack 1 | Remote Code Execution | Important | 5002071 | CVE-2021-42294 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-41333 |
HEVC Video Extensions | Remote Code Execution | Important | CVE-2021-40453 | |
HEVC Video Extensions | Remote Code Execution | Important | CVE-2021-40452 | |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-40441 |
Visual Studio Code WSL Extension | Remote Code Execution | Critical | Release Notes | CVE-2021-43907 |
Microsoft SharePoint Foundation 2013 Service Pack 1 | Spoofing | Important | 5002071 | CVE-2021-43242 |
Microsoft SharePoint Foundation 2013 Service Pack 1 | Remote Code Execution | Important | 5002071 | CVE-2021-42309 |
Windows Server 2012 R2 (Server Core installation) | Elevation of Privilege | Important | 5008263 | CVE-2021-43207 |
Windows 10 Version 21H2 for x64-based Systems | Denial of Service | Important | 5008212 | CVE-2021-43219 |
Adobe has released 11 patches this month to plug flaws identified in 60 CVEs, including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush. None of the updates are actively being used by attackers.
Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.
Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.
There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes an problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.
If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.
But that is it for another month and happy patching!