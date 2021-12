This month's Patch Tuesday comes in the middle of a global effort to mitigate Apache Log4j CVE-2021-44228. In today's security release, Microsoft issued fixes for 83 vulnerabilities across an array of products - including a fix for Windows Defender for IoT, which is vulnerable to CVE-2021-44228 amongst seven other remote code execution (RCE) vulnerabilities (the cloud service is not affected). Six CVEs in the bulletin have been publicly disclosed; the only vulnerability noted as being exploited in the wild in this month's release is CVE-2021-43890, a Windows AppX Installer spoofing bug that may aid in social engineering attacks and has evidently been used in Emotet malware campaigns.

Interestingly, this round of fixes also includes CVE-2021-43883, a Windows Installer privilege escalation bug whose advisory is sparse despite the fact that it appears to affect all supported versions of Windows. While there's no indication in the advisory that the two vulnerabilities are related, CVE-2021-43883 looks an awful lot like the fix for a zero-day vulnerability that made a splash in the security community last month after proof-of-concept exploit code was released and in-the-wild attacks began. The zero-day vulnerability, which researchers hypothesized was a patch bypass for CVE-2021-41379, allowed low-privileged attackers to overwrite protected files and escalate to SYSTEM. Rapid7's vulnerability research team did a full root cause analysis of the bug as attacks ramped up in November.

As usual, RCE flaws figure prominently in the "Critical"-rated CVEs this month. In addition to Windows Defender for IoT, critical RCE bugs were fixed this month in Microsoft Office, Microsoft Devices, Internet Storage Name Service (iSNS), and the WSL extension for Visual Studio Code. Given the outsized risk presented by most vulnerable implementations of Log4Shell, administrators should prioritize patches for any products affected by CVE-2021-44228. Past that, put critical server-side and OS RCE patches at the top of your list, and we'd advise sneaking in the fix for CVE-2021-43883 despite its lower severity rating.

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-43890 Windows AppX Installer Spoofing Vulnerability Yes Yes 7.1 Yes CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability No No 9.6 Yes

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-4068 Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page No No N/A Yes CVE-2021-4067 Chromium: CVE-2021-4067 Use after free in window manager No No N/A Yes CVE-2021-4066 Chromium: CVE-2021-4066 Integer underflow in ANGLE No No N/A Yes CVE-2021-4065 Chromium: CVE-2021-4065 Use after free in autofill No No N/A Yes CVE-2021-4064 Chromium: CVE-2021-4064 Use after free in screen capture No No N/A Yes CVE-2021-4063 Chromium: CVE-2021-4063 Use after free in developer tools No No N/A Yes CVE-2021-4062 Chromium: CVE-2021-4062 Heap buffer overflow in BFCache No No N/A Yes CVE-2021-4061 Chromium: CVE-2021-4061 Type Confusion in V8 No No N/A Yes CVE-2021-4059 Chromium: CVE-2021-4059 Insufficient data validation in loader No No N/A Yes CVE-2021-4058 Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE No No N/A Yes CVE-2021-4057 Chromium: CVE-2021-4057 Use after free in file API No No N/A Yes CVE-2021-4056 Chromium: CVE-2021-4056: Type Confusion in loader No No N/A Yes CVE-2021-4055 Chromium: CVE-2021-4055 Heap buffer overflow in extensions No No N/A Yes CVE-2021-4054 Chromium: CVE-2021-4054 Incorrect security UI in autofill No No N/A Yes CVE-2021-4053 Chromium: CVE-2021-4053 Use after free in UI No No N/A Yes CVE-2021-4052 Chromium: CVE-2021-4052 Use after free in web apps No No N/A Yes

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability No No 9.8 No CVE-2021-43908 Visual Studio Code Spoofing Vulnerability No No nan No CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability No No 5.5 No CVE-2021-43892 Microsoft BizTalk ESB Toolkit Spoofing Vulnerability No No 7.4 No CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability No No 7.5 No CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability No No 7.8 No

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability No No 9.8 Yes

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability No No 5.5 Yes CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability No No 8 Yes CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability No No 7.6 No CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2 Yes CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability No No 5.5 Yes CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability No No 6.5 Yes CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 9 Yes CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.8 Yes CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 8.1 Yes CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability No No 7.2 Yes CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability No No 7.5 Yes CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability No No 7.8 Yes

CVE Vulnerability Title Exploited Publicly Disclosed? CVSSv3 Has FAQ? CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability No No 7.8 No CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability No No 7.8 No CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability No No 7.1 No CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability No No 7.8 No CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability No Yes 5.5 Yes CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability No No 6.5 Yes CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability No No 5.6 No CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability No No 7.8 No CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 No CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability No No 7.8 Yes CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability No No 5.5 Yes CVE-2021-43228 SymCrypt Denial of Service Vulnerability No No 7.5 No CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability No Yes 7.8 No CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability No No 7.4 No