Microsoft on Tuesday rolled out security patches[1]
to contain a total of 71 vulnerabilities in Microsoft Windows and
other software, including a fix for an actively exploited privilege
escalation vulnerability that could be exploited in conjunction
with remote code execution bugs to take control over vulnerable
systems.
Two of the addressed security flaws are rated Critical, 68 are
rated Important, and one is rated Low in severity, with three of
the issues listed as publicly known at the time of the release. The
four zero-days are as follows —
- CVE-2021-40449[2] (CVSS score: 7.8) –
Win32k Elevation of Privilege Vulnerability - CVE-2021-41335[3] (CVSS score: 7.8) –
Windows Kernel Elevation of Privilege Vulnerability - CVE-2021-40469[4] (CVSS score: 7.2) –
Windows DNS Server Remote Code Execution Vulnerability - CVE-2021-41338[5] (CVSS score: 5.5) –
Windows AppContainer Firewall Rules Security Feature Bypass
Vulnerability
At the top of the list is CVE-2021-40449, a use-after-free
vulnerability in the Win32k kernel driver discovered by Kaspersky
as being exploited in the wild in late August and early September
2021 as part of a widespread espionage campaign targeting IT
companies, defense contractors, and diplomatic entities. The
Russian cybersecurity firm dubbed the threat cluster
“MysterySnail.”
“Code similarity and re-use of C2 [command-and-control]
infrastructure we discovered allowed us to connect these attacks
with the actor known as IronHusky and Chinese-speaking APT activity
dating back to 2012,” Kaspersky researchers Boris Larin and Costin
Raiu said[6]
in a technical write-up, with the infection chains leading to the
deployment of a remote access trojan capable of collecting and
exfiltrating system information from compromised hosts before
reaching out to its C2 server for further instructions.
Other bugs of note include remote code execution vulnerabilities
affecting Microsoft Exchange Server (CVE-2021-26427[7]), Windows Hyper-V
(CVE-2021-38672[8]
and CVE-2021-40461[9]), SharePoint Server
(CVE-2021-40487[10] and CVE-2021-41344[11]), and Microsoft Word
(CVE-2021-40486[12]) as well as an
information disclosure flaw in Rich Text Edit Control (CVE-2021-40454[13]).
CVE-2021-26427, which has a CVSS score of 9.0 and was identified
by the U.S. National Security Agency, underscores that “Exchange
servers are high-value targets for hackers looking to penetrate
business networks,” Bharat Jogi, senior manager of vulnerability
and threat research at Qualys, said.
The October Patch Tuesday is rounded out by fixes for two
shortcomings newly discovered in the Print Spooler component —
CVE-2021-41332[14] and CVE-2021-36970[15] — each concerning an
information disclosure bug and a spoofing vulnerability, which has
been tagged with an “Exploitation More Likely” exploitability index
assessment.
“A spoofing vulnerability usually indicates that an attacker can
impersonate or identify as another user,” security researcher
ollypwn noted[16] in a Twitter thread.
“In this case, it looks like an attacker can abuse the Spooler
service to upload arbitrary files to other servers.”
Software Patches From Other Vendors
In addition to Microsoft, patches have also been released by a
number of other vendors to address several vulnerabilities,
including —
References
- ^
security
patches (msrc.microsoft.com) - ^
CVE-2021-40449
(msrc.microsoft.com) - ^
CVE-2021-41335
(msrc.microsoft.com) - ^
CVE-2021-40469
(msrc.microsoft.com) - ^
CVE-2021-41338
(msrc.microsoft.com) - ^
said
(securelist.com) - ^
CVE-2021-26427
(msrc.microsoft.com) - ^
CVE-2021-38672
(msrc.microsoft.com) - ^
CVE-2021-40461
(msrc.microsoft.com) - ^
CVE-2021-40487
(msrc.microsoft.com) - ^
CVE-2021-41344
(msrc.microsoft.com) - ^
CVE-2021-40486
(msrc.microsoft.com) - ^
CVE-2021-40454
(msrc.microsoft.com) - ^
CVE-2021-41332
(msrc.microsoft.com) - ^
CVE-2021-36970
(msrc.microsoft.com) - ^
noted
(twitter.com)