icetray - Fotolia
Despite correcting a Windows zero-day, the December Patch Tuesday security updates were overshadowed by administrators' attempts to resolve the Log4Shell flaw.
Microsoft issued fixes for 67 new vulnerabilities, seven rated critical, with four older flaws getting a re-release for a total of 71 CVEs for December Patch Tuesday. But a Java-based bug that affects numerous applications and server systems eclipsed news of Microsoft's monthly security updates release.
On Dec. 9, the Apache Software Foundation patched a remote code execution vulnerability (CVE-2021-44228) in its popular Apache Log4j logging tool used by developers of Java applications. Dubbed Log4Shell, the vulnerability affects a wide number of enterprise technologies, such as microservices and back-end systems. Despite the availability of a patch, administrators do not have a straightforward way to remediate this in their infrastructure.
"This vulnerability is in a development library. It's part of an application, so you can't just go out and patch this individual component," said Chris Goettl, vice president of product management at Ivanti, an IT asset and endpoint management company. "Every one of the vendors that are using this have to fix the problem in their own products. And it's not easy to do."
With a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 for the highest possible severity level, the pressure is on administrators to ferret out this vulnerability, which can be pervasive in organizations that make heavy use of open source software on their servers or even SaaS apps. Compounding the stress is how difficult it is to find which software uses the logging tool, which runs on both Windows and Linux systems, and the minimal effort an unauthenticated threat actor needs to exploit the vulnerability.
"It's a very easy three-step process, and boom, you've just compromised a server and you can do what you want," Goettl said.
The Microsoft Security Response Center released a blog to assist IT workers with mitigation instructions for several products, including Azure App Service, Azure Functions and Azure Active Directory, and also provided workarounds for other affected technologies without a security update for the CVE.
"As many Java-based applications can leverage Log4j 2, organizations should contact application vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible in order to protect users and organizations," the blog said.
Windows zero-day headlines December Patch Tuesday security fixes
Microsoft addressed the Windows AppX Installer zero-day (CVE-2021-43890) to prevent attacks based on the BazaLoader/Emotet/Trickbot malware family. This flaw, rated important, was one of six publicly disclosed vulnerabilities.
Because this vulnerability requires user interaction, a threat actor would have to convince the recipient to open a specially crafted package, such as an email attachment, to trigger the exploit. Administrators may want to go further with Microsoft's guidance and tighten security on user machines through a group policy object that blocks user installs or only allows trusted apps to install. Goettl recommends these steps because updates from the Microsoft Store can be problematic.
"The Microsoft Store apps are supposed to update themselves, but that doesn't always work consistently. Also, detection of the update can be a challenge because there is no consolidated way to visually see all the apps from the store are up to date," he said.
Researcher publicizes Windows Installer vulnerability
Microsoft released a security update on November Patch Tuesday to correct a Windows Installer elevation-of-privilege vulnerability (CVE-2021-41379) rated important for Windows desktop and server systems. But a security researcher said the patch did not completely remedy the flaw and, while conducting a deeper look at the patch, he uncovered a variant of the Windows Installer bug.
Abdelhamid Naceri released proof-of-concept code called InstallerFileTakeOver that takes advantage of a flaw in all Windows systems, including the newest OSes Windows 11 and Windows Server 2022, that bypasses group policy settings to block standard users from access to the administrative install function. December Patch Tuesday resolves a Windows Installer elevation-of-privilege vulnerability (CVE-2021-43883) which appears to be Naceri's variant, although he is not credited in the CVE notes. Microsoft acknowledged Naceri this month for his work to develop security updates for a Windows Remote Access elevation-of-privilege vulnerability (CVE-2021-43238) and a Windows Setup elevation-of-privilege vulnerability (CVE-2021-43237).
Other security updates of note from December Patch Tuesday
A Microsoft Office app remote-code execution vulnerability (CVE-2021-43905) rated critical has a CVSS score of 9.6. Microsoft's CVE FAQ indicated the preview pane is not an attack vector -- user interaction is required -- and the Microsoft Store should issue the correction automatically.
A Visual Studio Code Windows Subsystem for Linux Extension remote-code execution vulnerability (CVE-2021-43907) rated critical has a CVSS score of 9.8. Administrators should roll out Version 0.63.11 of the Remote-WSL extension to prevent an exploit.
An Internet Storage Name Service (iSNS) Server memory corruption/remote-code execution vulnerability (CVE-2021-43215) rated critical with a CVSS score of 9.8 affects supported Windows systems, except for Windows 11 and Windows Server 2022. The threat actor on the network could send a specially crafted request to the iSNS Server, which are typically used to help iSCSI devices on a storage area network find each other.