Microsoft releases an anticipated batch of security patches and updates for various products and services on the second Tuesday of each month. This has become known as Microsoft security Patch Tuesday. Keeping with this tradition, Microsoft has just released 67 security fixes to mark this month’s Patch Tuesday. Seven of the vulnerabilities fixed today were classified as Critical and the rest as Important. December’s patch release also includes fixes for six zero-day bugs, one of which was actively exploited in the wild. The types of security vulnerabilities addressed today are distributed as follows:
- Twenty-six Remote Code Execution (RCE) flaws
- Twenty-one Elevation of Privilege vulnerabilities (EoP)
- Ten Information Disclosure Bugs
- Seven Spoofing Flaws
- Three DoS vulnerabilities
Here are the main highlights from this month’s Patch Tuesday:
Among the patches released this Tuesday were fixes for these six zero-day bugs:
CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability
This CVE has a severity score of 7.1 and is rated as Important. This bug was exploited in the wild mostly to spread the malware family known as Emoter. A threat actor could attach a specially packaged malicious payload and convince the user to open it in a phishing scam. Once opened, the malicious Emotet begins infecting the Windows system disguised as a legitimate Windows App Installer Package.
CVE-2021-43880: Windows Mobile Device Management EoP Bug
This EoP could allow local attackers to access and delete targeted files on a Windows system.
CVE-2021-41333: Windows Print Spooler EoP Vulnerability
Yet another Print Spooler EoP. This time the vulnerability has a 7.8 CVSSv3 score and is said to have a low attack complexity; hence, exploitation is more likely.
CVE-2021-43893: Windows Encrypting File System (EFS) EoP Vulnerability
James Forshaw of Google Project Zero discovered and reported the bug, which Microsoft assigned a 7.5 severity rating. However, exploitation of this flaw is less likely.
CVE-2021-43883: Windows Installer EoP Vulnerability
Dubbed InstallerFileTakeOver, this zero-day was discovered and disclosed last month. The bug can allow an installer to run on a Windows system (including Windows 11 and Server) without administrative permissions. It has a 7.8 CVSSv3 score.
CVE-2021-43240: NTFS Set Short Name EoP Vulnerability
This bug received a CVSSv3 score of 7.8. And although it’s marked as Important, exploitation is less likely.
Other notable vulnerabilities and fixes
- CVE-2021-43905: Microsoft Office app RCE Vulnerability (Rated Critical, with a 9.6 CVSSv3 score)
- CVE-2021-43215: iSNS Server Memory Corruption Vulnerability Leading to Remote Code Execution (Rated Critical, with a 9.8 CVSSv3 score)
- CVE-2021-43207: Windows Common Log File System Driver EoP Vulnerability (Rated Important, with a 7.8 CVSSv3 score)
This article is only a brief overview of the patches released today. Read Microsoft’s Patch Tuesday release notes to get the complete Microsoft Patch Tuesday list. You can also read about the Windows 11 and Windows 10 updates released this patch Tuesday here.
December’s Patch Tuesday concludes this year’s monthly patch rollout. It also comes as the new and intriguing Log4j vulnerability starts to make waves on the internet. In the last patch Tuesday, the Redmond giant resolved a total of 55 vulnerabilities. Although this number is slightly higher this month, the Zero Day Initiative (ZDI) team notes that the total number of flaws fixed in 2021 (887) is 29 percent less than those fixed in 2020.
Never Miss Microsoft Security Updates on Patch Tuesday
Action1 Automated Patch Management System helps keep your Windows systems secure and up-to-date by deploying patches and updates as soon as they’re released. Sign up to try our Free Patch Management Solution today and stay tuned for more Microsoft Patch Tuesday news and reviews.