Patch Tuesday Roundup – December 2021

By /

Winter is coming. At least that’s the case here in Texas; in some parts of the country and world, it’s already here. ‘Tis the season that brings hackers and attackers out in force, but there are ways to thwart their dastardly plans and prevent them from ruining your holiday fun.

As we wrap up another year (while wondering how it went by so quickly), it’s traditional to look back over the past eleven and a half months and reflect on what we’ve learned.

2020 and the pandemic brought about a paradigm shift in the corporate work world as “work from home” became not the exception, but the rule. Even as Covid restrictions eased and some places returned to almost-normal in 2021, the trend continued. Businesses and employees alike have discovered the benefits (and addressed the challenges) of remote work. It appears to be here to stay, so it’s important to consider our security strategies through that lens.

Keeping systems and devices that connect to the network, no matter where they’re physically located, up to date with security patches is the first line of defense against the onslaught of threats that are waiting just around the corner in 2022 – including continuing supply chain attacks, the cyber cold war, scaled-up data breaches, and more.

Let’s take a look at the security updates released on December 14.

Overview

  • As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide web site for a full list of the December releases. This month’s updates apply to a broad range of Microsoft products, features, and roles, including Apps, ASP.NET Core & Visual Studio, Azure Bot Framework SDK, BizTalk ESB Toolkit, Internet Storage Name Service, Microsoft Defender for IoT, Microsoft Devices, Microsoft Edge (Chromium-based), Microsoft Local Security Authority Server (lsasrv), Microsoft Message Queuing, Microsoft Office, Microsoft Office Access, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft PowerShell, Microsoft Windows Codecs Library, Office Developer Platform, Remote Desktop Client, Role: Windows Fax Service, Role: Windows Hyper-V, Visual Studio Code, Visual Studio Code – WSL Extension, Windows Common Log File System Driver, Windows Digital TV Tuner, Windows DirectX, Windows Encrypting File System (EFS), Windows Event Tracing, Windows Installer, Windows Kernel, Windows Media, Windows Mobile Device Management, Windows NTFS, Windows Print Spooler Components, Windows Remote Access Connection Manager, Windows Storage, Windows Storage Spaces Controller, Windows SymCrypt, Windows TCP/IP, and Windows Update Stack.

Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you are unable to install the updates due to compatibility or other reasons. Known issues are addressed in the Release Notes.

This month’s updates include fixes for a total of sixty-seven vulnerabilities across the above products. As usual, in this blog post we’ll focus on the zero day and critical issues since they pose the greatest threat.

Critical and exploited vulnerabilities

Zero day vulnerabilities are exploitable security flaws in software that are disclosed to the public or to attackers before they’re known to and patched by the software vendors. This year has seen an increase in the instance of zero day disclosures and attacks, so we will look first at this month’s zero day vulnerabilities that have been fixed. This includes six vulnerabilities, but only one of them is reported as having been actively exploited.

Vulnerabilities being exploited in the wild

The following vulnerability has been detected as having already been exploited in the wild:

  • CVE-2021-43890Windows AppX Installer Spoofing Vulnerability. This is remotely exploitable vulnerability at the protocol level. Attack complexity is high, thus a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution. Required privileges are low but user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability. This is the only one of this month’s vulnerabilities that is known to have been exploited in the wild. Attacks have been launched using the Emotet

Other zero-day vulnerabilities patched

The following five vulnerabilities were publicly exposed prior to the release of a fix but have not, at the time of this writing, been detected as exploited in the wild:

  • CVE-2021-41333Windows Print Spooler Elevation of Privilege Vulnerability. This EoP issue has a local attack vector so the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user Interaction. Attack complexity is low, as are privileges required. User interaction is not required if the attacker has local access. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43240NTFS Set Short Name Elevation of Privilege Vulnerability. This EoP issue, like the one above, has a local attack vector so the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user Interaction. Attack complexity is low, as are privileges required. User interaction is not required if the attacker has local access. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43880Windows Mobile Device Management Elevation of Privilege Vulnerability. This is yet another EoP issue. Like those above, it has a local attack vector, attack complexity is low, and so are privileges required. User interaction is not required if the attacker has local access. The difference is that this exploit can result only in total loss of availability, while there is no loss of confidentiality or integrity.
  • CVE-2021-43883Windows Installer Elevation of Privilege Vulnerability. This proof-of-concept EoP issue exists in the Windows Installer component. Once again, it has a local attack vector so the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user Interaction. Attack complexity is low, as are privileges required. User interaction is not required if the attacker has local access. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43893Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability. This last EoP vulnerability is in EFS. The attack vector is the network, so it can be remotely exploited at the protocol level. Attack complexity is high, thus a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution. Required privileges are low and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.

Other critical vulnerabilities patched

The following seven vulnerabilities this month were classified as critical but had not been disclosed or exploited prior to patch release:

  • CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability. This is an RCE issue with a network attack vector, so it can be remotely exploited at the protocol level. Attack complexity is low, no privileges are required and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43215 – iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution. This is an RCE issue with a network attack vector, so it can be remotely exploited at the protocol level. Attack complexity is low, no privileges are required and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43217 – Windows Encrypting File System (EFS) Remote Code Execution Vulnerability. This is another vulnerability in EFS, but this time it’s an RCE issue. The attack vector is the network, so it can be remotely exploited at the protocol level. Attack complexity is high, thus a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution. No privileges are required and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43233 – Remote Desktop Client Remote Code Execution Vulnerability. This is another RCE issue, this time in RDP client component. The attack vector is the network, so it can be remotely exploited at the protocol level. Attack complexity is high, thus a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution. No privileges are required but user interaction is required.
  • CVE-2021-42310 – Microsoft Defender for IoT Remote Code Execution Vulnerability. This RCE issue exists in Defender for the Internet of Things. The attack vector is the network, so it can be remotely exploited at the protocol level. Attack complexity is high, thus a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution. No privileges are required and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability. This RCE issue exists in the 4K wireless display adapter. This is an RCE issue with a network attack vector, so it can be remotely exploited at the protocol level. Attack complexity is low, no privileges are required and no user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.
  • CVE-2021-43905 – Microsoft Office app Remote Code Execution Vulnerability. This RCE issue exists in the Microsoft Office app. This is an RCE issue with a network attack vector, so it can be remotely exploited at the protocol level. Attack complexity is low, no privileges are required but user interaction is required. The exploit can result in a total loss of confidentiality, integrity, and availability.

Important and moderate updates

In addition to the critical and zero-day updates listed above, this month’s patches address a number of vulnerabilities that are rated important. These include elevation of privilege, information disclosure, spoofing, and remote code execution issues. You can find the full list in the Security Updates Guide. The following are a few of note:

  • CVE-2021-43219 – DirectX Graphics Kernel File Denial of Service Vulnerability. This denial of service vulnerability affects Windows 10 and 11, and Windows Server 21H2, 20H2, 2004, and 2022. Attack complexity is low and no privileges or user interaction are required. Confidentiality and integrity are not affected but exploit can result in total loss of availability.
  • CVE-2021-43207 – Windows Common Log File System Driver Elevation of Privilege Vulnerability. This EoP vulnerability affects supported versions of Windows client and server operating systems. Attack vector is local, so the attacker would have to have local access or rely on user interaction, but complexity is low, privileges required are low, and user interaction is not required if the attacker has local access. The exploit can result in a total loss of confidentiality, integrity, and availability.

Other/cumulative updates

  • KB5008244 – Windows 7 and Server 2008 R2 (monthly rollup)
  • KB5008263 – Windows 8.1 and Server 2012 R2 (monthly rollup)
  • KB5008212 – Windows 10 (versions 2004, 20H2, 21H1, 21H2) and Server 2004, 20H2
  • KB5008215 – Windows 11

NOTES: As of October 2021, there are no longer optional, non-security releases  for Windows 10, version 1909.  Only cumulative monthly security updates will continue for Windows 10, version 1909.

Windows 10, version 2004 reached end of servicing on December 14, 2021. To continue receiving security and quality updates, Microsoft recommends that you update to the latest version of Windows 10.

Because of minimal operations during the holidays and the upcoming Western new year, there won’t be a preview release (known as a “C” release) for the month of December 2021. There will be a monthly security release (known as a “B” release) for December 2021. Normal monthly servicing for both B and C releases will resume in January 2022.

Applying the updates

Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.

Most home users will receive the updates via the Windows Update service that’s built into the operating system.

Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.

Known Issues

Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes.

Malicious Software Removal Tool (MSRT) update

The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)

Third party releases

In addition to Microsoft’s security updates, this month’s Patch Tuesday brought a whopping eleven security bulletins/updates from Adobe, which will be discussed in more detail in this month’s Third Party Patch Roundup at the end of this month.

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top