Today is Microsoft’s December 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 67 flaws. These updates include a fix for an actively exploited Windows Installer vulnerability used in malware distribution campaigns.

Microsoft has fixed 55 vulnerabilities (not including Microsoft Edge) with today’s update, with 7 classified as Critical and 60 as Important.

The number of each type of vulnerability is listed below:

21 Elevation of Privilege Vulnerabilities

26 Remote Code Execution Vulnerabilities

10 Information Disclosure Vulnerabilities

3 Denial of Service Vulnerabilities

7 Spoofing Vulnerabilities

Microsoft also fixed five publicly disclosed zero-day vulnerabilities as part of the December 2021 Patch Tuesday that are not known to be exploited in attacks. (but will be soon)

CVE-2021-43240 – NTFS Set Short Name Elevation of Privilege Vulnerability

CVE-2021-41333 – Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2021-43880 – Windows Mobile Device Management Elevation of Privilege Vulnerability

CVE-2021-43883 – Windows Installer Elevation of Privilege Vulnerability

CVE-2021-43893 – Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability

Executive Summary

Taking a closer look at some of the more interesting updates for this month;

 CVE-2021-43890 – Windows AppX Installer Spoofing Vulnerability
Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

 CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch.

 CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

 CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability
This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

 CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2021-43890

Windows AppX Installer Spoofing Vulnerability

Important

7.1

Yes

Yes

Spoofing

CVE-2021-43240

NTFS Set Short Name Elevation of Privilege Vulnerability

Important

7.8

Yes

No

EoP

CVE-2021-43893

Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability

Important

7.5

Yes

No

EoP

CVE-2021-43883

Windows Installer Elevation of Privilege Vulnerability

Important

7.1

Yes

No

EoP

CVE-2021-43880

Windows Mobile Device Management Elevation of Privilege Vulnerability

Important

5.5

Yes

No

EoP

CVE-2021-41333

Windows Print Spooler Elevation of Privilege Vulnerability

Important

7.8

Yes

No

EoP

CVE-2021-43215

iSNS Server Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2021-43899

Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2021-42310

Microsoft Defender for IoT Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2021-43905

Microsoft Office app Remote Code Execution Vulnerability

Critical

9.6

No

No

RCE

CVE-2021-43233

Remote Desktop Client Remote Code Execution Vulnerability

Critical

7

No

No

RCE

CVE-2021-43907

Visual Studio Code WSL Extension Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2021-43217

Windows Encrypting File System (EFS) Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2021-43877

ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43225

Bot Framework SDK Remote Code Execution Vulnerability

Important

7.5

No

No

RCE

CVE-2021-43219

DirectX Graphics Kernel File Denial of Service Vulnerability

Important

7.4

No

No

DoS

CVE-2021-40452

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-40453

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-41360

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43892

Microsoft BizTalk ESB Toolkit Spoofing Vulnerability

Important

7.1

No

No

Spoofing

CVE-2021-42312

Microsoft Defender for IOT Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43888

Microsoft Defender for IoT Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-41365

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-42311

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-42313

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-42314

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-42315

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-43882

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

9

No

No

RCE

CVE-2021-43889

Microsoft Defender for IoT Remote Code Execution Vulnerability

Important

7.2

No

No

RCE

CVE-2021-43256

Microsoft Excel Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-42293

Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2021-43216

Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability

Important

6.5

No

No

Info

CVE-2021-43222

Microsoft Message Queuing Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-43236

Microsoft Message Queuing Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-43875

Microsoft Office Graphics Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43255

Microsoft Office Trust Center Spoofing Vulnerability

Important

5.5

No

No

Spoofing

CVE-2021-43896

Microsoft PowerShell Spoofing Vulnerability

Important

5.5

No

No

Spoofing

CVE-2021-42294

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

7.2

No

No

RCE

CVE-2021-42309

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-42320

Microsoft SharePoint Server Spoofing Vulnerability

Important

8

No

No

Spoofing

CVE-2021-43242

Microsoft SharePoint Server Spoofing Vulnerability

Important

7.6

No

No

Spoofing

CVE-2021-43227

Storage Spaces Controller Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-43235

Storage Spaces Controller Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-43228

SymCrypt Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2021-42295

Visual Basic for Applications Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-43891

Visual Studio Code Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43908

Visual Studio Code Spoofing Vulnerability

Important

N/A

No

No

Spoofing

CVE-2021-43243

VP9 Video Extensions Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-43214

Web Media Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43207

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43226

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43224

Windows Common Log File System Driver Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-43248

Windows Digital Media Receiver Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43245

Windows Digital TV Tuner Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43232

Windows Event Tracing Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43234

Windows Fax Service Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-43246

Windows Hyper-V Denial of Service Vulnerability

Important

5.6

No

No

DoS

CVE-2021-43244

Windows Kernel Information Disclosure Vulnerability

Important

6.5

No

No

Info

CVE-2021-40441

Windows Media Center Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43229

Windows NTFS Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43230

Windows NTFS Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43231

Windows NTFS Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43239

Windows Recovery Environment Agent Elevation of Privilege Vulnerability

Important

7.1

No

No

EoP

CVE-2021-43223

Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43238

Windows Remote Access Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43237

Windows Setup Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-43247

Windows TCP/IP Driver Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

* CVE-2021-4052

Chromium: CVE-2021-4052 Use after free in web apps

High

N/A

No

No

RCE

* CVE-2021-4053

Chromium: CVE-2021-4053 Use after free in UI

High

N/A

No

No

RCE

* CVE-2021-4054

Chromium: CVE-2021-4054 Incorrect security UI in autofill

High

N/A

No

No

RCE

* CVE-2021-4055

Chromium: CVE-2021-4055 Heap buffer overflow in extensions

High

N/A

No

No

RCE

* CVE-2021-4056

Chromium: CVE-2021-4056: Type Confusion in loader

High

N/A

No

No

RCE

* CVE-2021-4057

Chromium: CVE-2021-4057 Use after free in file API

High

N/A

No

No

RCE

* CVE-2021-4058

Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE

High

N/A

No

No

RCE

* CVE-2021-4059

Chromium: CVE-2021-4059 Insufficient data validation in loader

High

N/A

No

No

RCE

* CVE-2021-4061

Chromium: CVE-2021-4061 Type Confusion in V8

High

N/A

No

No

RCE

* CVE-2021-4062

Chromium: CVE-2021-4062 Heap buffer overflow in BFCache

High

N/A

No

No

RCE

* CVE-2021-4063

Chromium: CVE-2021-4063 Use after free in developer tools

High

N/A

No

No

RCE

* CVE-2021-4064

Chromium: CVE-2021-4064 Use after free in screen capture

High

N/A

No

No

RCE

* CVE-2021-4065

Chromium: CVE-2021-4065 Use after free in autofill

High

N/A

No

No

RCE

* CVE-2021-4066

Chromium: CVE-2021-4066 Integer underflow in ANGLE

High

N/A

No

No

RCE

* CVE-2021-4067

Chromium: CVE-2021-4067 Use after free in window manager

High

N/A

No

No

RCE

* CVE-2021-4068

Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page

Low

N/A

No

No

Spoofing

With thanks to the Patchmanagement.org Team!