Critical bugs could go unpatched amid Log4j concern

As IT administrators scramble to address the high-profile Log4j security bug, other potentially serious security vulnerabilities are being disclosed and potentially left unpatched.

Lost in the hype of the Java remote code execution flaw was the release of December's Patch Tuesday bundle from, among others, Microsoft, Adobe and Apple. Among the fixes were seven Microsoft bugs rated as "critical" and given CVSS scores of 7 or higher.

One of the Patch Tuesday flaws, CVE-2021-43890, is already under active exploit by criminal hackers spreading the Emotet malware. That bug, present in the Windows AppX Installer, is exploited by way of attachments in phishing emails.

Normally, such bugs would be immediate priorities for administrators and security teams. However, with the Log4jShell vulnerability dominating headlines and occupying defenders, these critical vulnerabilities run the risk of being overlooked.

Jake Baines, lead security researcher at Rapid7, told SearchSecurity that in many cases, companies simply won't have enough people or time to deal with both the Log4j flaw and the December Patch Tuesday releases.

"People only have so much bandwidth, and I know a lot of people have been just heads down on Log4j stuff," he noted. "It is a very busy time for everyone."

Baines said that part of the problem was the extent to which the Log4j reaches. The Java logging tool is widely used and in many cases administrators are not even aware of its presence on their apps, let alone whether it can be remotely accessed and exploited.

"Because of where the vulnerability resides and how it gets exploited, we don't even know the set of products that are truly exploitable," he explained.

"There are a number of products that have the vulnerable code but they are not exploitable."

Dustin Childs, communications manager with the Trend Micro Zero Day Initiative, told SearchSecurity that unlike Patch Tuesday's definitive identification and update process, Log4j leaves companies with an open-ended process.

"With something like Patch Tuesday, there is a finish line. There comes a point where you can go to your boss and say, 'We have patched everything,'" he explained.  "With Log4j, we can't say that."

Childs said that while executives may be fixated on high-profile bugs like Log4j, a company's own network could be more prone to attack for other flaws, including those exposed on Patch Tuesday.

"One of the toughest problems as a defender is explaining to management what the risk is," said Childs. "The underlying question is 'What is our risk for this?' Defenders need to be able to explain the risks to their enterprise."