The final Patch Tuesday of the year is here, and while Log4J may have cast a very long shadow over this month, Microsoft has released fixes for 64 more vulnerabilities in its software products, including 16 Chromium-based bugs in the Edge browser that were already patched in updates pushed since last month.
Some of the remaining fixes apply to versions of Windows stretching the way back to the end-of-life’d Windows 7. In fact, there are 17 bugs being patched in Windows 7 this month, including three of this month’s seven critical vulnerabilities—all of which are remote code execution bugs.
One of those bugs is in Windows’ Remote Desktop Client (CVE-2021-43233), which would allow an attacker to target systems running the Remote Desktop Protocol (RDP) client software integrated into Windows operating systems to execute code on them. This is a network-based attack, leveraging RDP.
Next, there’s a vulnerability in Windows’ Encrypted File System (EFS) that also extends back to Windows 7 (CVE-2021-43217)—one that can be triggered regardless of whether or not EFS is in use on the targeted system. A specially-crafted attack could result in a buffer overflow write to memory that could result in unauthenticated code being executed by triggering EFS. This bug has been publicly disclosed, making it an urgent fix.
The third critical bug reaching all the way back to Windows 7 is in the less-ubiquitous Internet Storage Name Service (iSNS) server (CVE-2021-43215), the software component that manages connections on a storage area network over iSCSI. An attacker on a machine connected to the SAN could send a specially crafted request to the which could result in remote code execution.
The remaining critical remote code execution bugs are in products other than Windows, including the Microsoft Office app from the Windows Store (CVE-2021-43905) and the Visual Studio Code code editing tool’s Windows Subsystem for Linux (WSL) extension (CVE-2021-43907).
There’s also a critical flaw in one of Microsoft’s newest products, Defender for IoT (CVE-2021-42310). This Azure-connected software captures data from IoT devices to detect potential vulnerabilities and security issues. But a flaw in Version 10.5.2 and above of Defender for IoT makes it possible for an attacker to send data to the onsite console that could execute code. (There are seven other remote code execution vulnerabilities and an information disclosure vulnerability in Defender for IoT as well.)
The final critical remote code execution vulnerability in this month’s batch is in Microsoft’s 4K wireless display adapter. This is a firmware-level vulnerability, requiring a download of an update app. An unauthenticated attacker on the same wireless network as the display could send specially crafted packets to a vulnerable device to execute arbitrary code.
Other bugs of note
Beyond the critical bugs, there are another 19 remote code execution vulnerabilities in this month’s Patch Tuesday collection. As noted above, seven of them are in Defender for IoT. Another is being made available for all Windows versions back to Windows 7: a remote code execution bug in Windows Fax Service (CVE-2021-43234).
One of the non-critical bugs fixed in this month’s crop is CVE-2021-43883, a Windows Installer elevation of privilege Vulnerability. This bug, known as InstallerFileTakeover, was publicly disclosed late last month. The danger of this bug is that it can allow an installer to run without administrative privileges, including on the more restrictive Windows Server platforms.
Also among the more likely to be exploited is CVE-2021-41333, an elevation of privilege bug in the Windows Print Spooler. There are also two elevation of privilege flaws in the Windows Common Log File System driver (CVE-2021-43207 and CVE-2021-43226) and one in Windows Mobile Device Management (CVE-2021-43880).
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products. Additional protection signatures may be released after this article is published.