icetray - Fotolia

Microsoft squashes Windows zero-day on October Patch Tuesday

In addition to the publicly exploited bug, Microsoft corrected 76 flaws, including four that had been publicly disclosed, in this month's batch of security updates.

Despite a deceiving severity rating, a Windows zero-day should be high on the priority list of administrators sifting through the October Patch Tuesday security updates.

This month, Microsoft released corrections for 76 unique vulnerabilities, including two flaws it had addressed in earlier Patch Tuesday releases. While only rated important by Microsoft, admins should expedite the fixes for systems at risk to the Win32k elevation-of-privilege vulnerability (CVE-2021-40449). This flaw had been actively exploited prior to the security update's availability and affects all supported Windows OSes, including the newly released client and server products Windows 11 and Windows Server 2022.

Chris GoettlChris Goettl

While other companies, such as Adobe, will change the priority ranking for a security update if it's under active attack, Microsoft does not alter the severity level based on those circumstances, even when its own assessment shows exploitation detected. Because many organizations typically look at the severity rating and the Common Vulnerability Scoring System (CVSS) to prioritize the deployment of patches, this Win32k flaw might not get prompt attention because it has a severity rating lower than critical.

This tendency to overlook these types of vulnerabilities is one reason why more organizations have been shifting to a risk-based vulnerability management system, according to Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company.

"Microsoft's way of rating this bug is this is not a vulnerability that can be exploited remotely, you can't target a user to exploit it, [and] the attacker has to gain control of a system and then be able to execute code to exploit this. Well, for most ransomware attacks, that's going to be the circumstances. For any advanced persistent threat, that's going to be the circumstances,"Goettl said. "It's a big blind spot for organizations if they don't go to a more robust way of assessing risk or exposure in their environment."

Microsoft corrects four publicly disclosed vulnerabilities

Microsoft also issued security updates for four publicly disclosed bugs, one of which is a revised security update from July.

CVE-2021-41338 is a Windows AppContainer firewall rules security feature bypass vulnerability rated important for most supported Windows server and desktop products. No user interaction is required to exploit the vulnerability.

CVE-2021-41335 is a Windows kernel elevation-of-privilege vulnerability rated important with a CVSS of 7.8 that affects most supported Windows OSes. The threat actor would need local access to the system and then have to run a specially crafted program to overtake the machine. This would then enable them to perform a range of other actions, such as deleting data or installing programs.

CVE-2021-40469 is Windows DNS Server remote code execution vulnerability rated important that affects all supported Windows Server products. On an unpatched system, the exploit will only affect a server configured with the DNS Server role. The attacker needs network access and administrative privileges to use the exploit.

Due to the availability of proof-of-concept code for all these vulnerabilities, administrators should put an emphasis on deploying patches for the affected systems.

"There is enough code out there for somebody to know how to exploit it. It won't require a huge amount of effort to take that exploit and figure out a way to wrap it in a delivery system to take advantage of it," Goettl said.

The last public disclosure is CVE-2021-33781, an Azure Active Directory security feature bypass vulnerability rated important that affects most later supported versions of Windows desktop and server systems. Microsoft originally distributed a patch for this flaw on July Patch Tuesday. The company revised the patch to update the number of affected versions of Windows.

Four Exchange Server vulnerabilities fixed

The on-premises Exchange Server messaging platform continues to tempt attackers looking to gain a foothold into enterprise networks. Microsoft resolved four vulnerabilities (CVE-2021-41350, CVE-2021-41348, CVE-2021-34453 and CVE-2021-26427) rated important for Exchange Server 2016/2019 products.

Administrators will want to pay particular attention to remediating the remote-code execution vulnerability (CVE-2021-26427) with its relatively high CVSS score of 9.0. Microsoft acknowledged the National Security Agency for reporting the bug. Unlike the more severe Exchange vulnerabilities from earlier this year, attackers cannot use CVE-2021-26427 to launch attacks directly from the internet -- they must already have access to the network.

"This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone)," wrote Microsoft in the CVE's notes. "This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment."

Exchange Server is notoriously difficult to maintain due to its complexity and importance to the enterprise. The email system cannot be down for any significant length of time, which makes IT less than enthusiastic to deploy its patches, particularly if the mitigation process requires additional steps to fully resolve the problem. Some organizations cannot move to a cloud-based email platform due to a reliance on customized applications or sensitive data concerns. In an effort to protect Exchange customers from attackers, Microsoft released the Microsoft Exchange Emergency Mitigation service with its September cumulative update for Exchange Server.

The automated tool is not a replacement for installing security updates, but a stop-gap measure to automatically install temporary corrections to prevent emerging threats from breaching the Exchange Server system.

"Since in the future mitigations may be released at any time, we chose to have the [Emergency Mitigation] service check for mitigations hourly. A mitigation is an action or set of actions used to secure an Exchange server from a known threat," wrote Microsoft on its Exchange Team blog. "If Microsoft learns about a security threat and we create a mitigation for the issue, that mitigation can be sent directly to the Exchange server, which would automatically implement the pre-configured settings."

Dig Deeper on Windows Server OS and management

Cloud Computing
Enterprise Desktop
Virtual Desktop