9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Microsoft has rolled out Patch Tuesday updates to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw thatโs being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads.
The latest monthly release for December fixes a total of 67 flaws, bringing the total number of bugs patched by the company this year to 887, according to the Zero Day Initiative. Seven of the 67 flaws are rated Critical and 60 are rated as Important in severity, with five of the issues publicly known at the time of release. Itโs worth noting that this is in addition to the 21 flaws resolved in the Chromium-based Microsoft Edge browser.
The most critical of the lot is CVE-2021-43890 (CVSS score: 7.1), a Windows AppX installer spoofing vulnerability that Microsoft said could be exploited to achieve arbitrary code execution. The lower severity rating is indicative of the fact that code execution hinges on the logged-on user level, meaning โusers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.โ
The Redmond-based tech giant noted that an adversary could leverage the flaw by crafting a malicious attachment thatโs then used as part of a phishing campaign to trick the recipients into opening the email attachment. Sophos security researchers Andrew Brandt as well as Rick Cole and Nick Carr of the Microsoft Threat Intelligence Center (MSTIC) have been credited with reporting the vulnerability.
โMicrosoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/ Trickbot/ Bazaloader,โ the company further added. The development comes as Emotet malware campaigns are witnessing a surge in activity after more than a 10-month-long hiatus following a coordinated law enforcement effort to disrupt the botnetโs reach.
Other flaws that are publicly known are below โ
The December patch also comes with remediations for 10 remote code execution flaws in Defender for IoT, in addition to critical bugs affecting iSNS Server (CVE-2021-43215), 4K Wireless Display Adapter (CVE-2021-43899), Visual Studio Code WSL Extension (CVE-2021-43907), Office app (CVE-2021-43905), Windows Encrypting File System (CVE-2021-43217), Remote Desktop Client (CVE-2021-43233), and SharePoint Server (CVE-2021-42309).
Besides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, including โ
Furthermore, numerous security advisories have been released by dozens of companies for the actively exploited Log4j remote code execution vulnerability that could allow a complete takeover of affected systems.
Found this article interesting? Follow THN on Facebook, Twitter ๏ and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C