Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel Flaw
Microsoft’s scheduled monthly batch of security patches landed with a loud thud Tuesday with fixes for at least 56 security vulnerabilities in a range of operating system and software products.
At least one of the flaws (CVE-2021-1732) is being exploited in the wild in zero-day attacks. Microsoft did not provide any additional details on the in-the-wild attacks beyond a generic “exploitation detected” checkbox in the advisory.
The acknowledgement of this zero-day attack, reported to Microsoft by Chinese security vendor DBAPPSecurity Ltd., comes just days after reports of a separate — and still unpatched — Internet Explorer vulnerability being used by hackers linked to the North Korean government.
[ ALSO READ: Adobe Confirms PDF Reader Flaw Being Exploited ]
The zero-day patch headlines a mega-patch release by Microsoft with fixes for 56 documented CVEs in multiple Windows OS frameworks and components, the widely deployed Office Product line and the Skype for Business and Windows Defender utilities.
Microsoft rates 11 of the 56 vulnerabilities as “critical,” its highest severity rating. A total of 43 patched flaws are classified as “important” while two are rated “moderated.”
The Microsoft patch drop adds to the workloads for weary defenders struggling to keep pace with the volume and pace of security updates from major vendors.
Earlier Tuesday, Adobe shipped fixes for multiple dangerous security holes, including a bug in the Adobe Reader that is being exploited in “limited targeted attacks” against Windows OS users.
[ ALSO BY RYAN NARAINE: Google Chrome, Microsoft IE in Zero-Day Crosshairs ]
A few days ago, Sonicwall warned of zero-day attacks against some products in its portfolio while Apple and Google scrambled to provide band-aids for under-attack flaws in the iOS and Android operating systems.
To make matters worse, the communications and guidance from these big-name vendors have been poor. Adobe, for example, casually mentioned the in-the-wild PDF Reader attacks but did not provide any IOCs (indicators of compromise) or other attack artifacts to aid enterprise threat hunters.
Microsoft, too, has been scarce with information on flaws that are being actively exploited or publicly known. It is likely the information has been shared with the company’s MAPP (Microsoft Active Protection Program) partners of security vendors but several CISOs tell SecurityWeek it’s becoming more and more difficult to mount a response plan without proper technical documentation of live attacks.
In addition to the bug under active exploitation (no IOCs available), Microsoft mentioned that six separate vulnerabilities are publicly known and exploit code may be available but the company did not provide additional documentation.
For a round-up of the major vulnerabilities and issues to prioritize, we recommend this recap from ZDI (Zero Day Initiative). Some highlights:
CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.
CVE-2021-24078 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.
CVE-2021-24074 – Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.
CVE-2021-26701 – .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.