Microsoft December 2021 Security Updates includes fix for zero-day exploit used to spread Emotet malware

Microsoft has released the December 2021 Security Updates that includes patches for 73 vulnerabilities, 7 of those rated Critical. The updates also address one vulnerability being actively exploited in the wild and used to spread Emotet malware.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

In all, the Microsoft security updates address vulnerabilities in the following products, features and roles:

• ASP.NET Core & Visual Studio
• Azure Bot Framework SDK
• Internet Storage Name Service
• Microsoft Defender for IoT
• Microsoft Devices
• Microsoft Local Security Authority Server (lsasrv)
• Microsoft Message Queuing
• Microsoft Office
• Microsoft PowerShell
• Microsoft Windows Codecs Library
• Office Developer Platform
• Remote Desktop Client
• Role: Windows Fax Service
• Role: Windows Hyper-V
• Visual Studio Code
• Windows Common Log File System Driver
• Windows Digital TV Tuner
• Windows DirectX
• Windows Encrypting File System (EFS)
• Windows Event Tracing
• Windows Installer
• Windows Kernel
• Windows Media
• Windows Mobile Device Management
• Windows NTFS
• Windows Print Spooler Components
• Windows Remote Access Connection Manager
• Windows Storage
• Windows Storage Spaces Controller
• Windows SymCrypt
• Windows TCP/IP
• Windows Update Stack

Windows AppX zero-day vulnerability

On Tuesday, Microsoft warned of active exploits in the wild of a Windows AppX zero-day Installer Spoofing Vulnerability CVE-2021-43890.

“We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader,” Microsoft stated in the advisory.

“An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The issue affects multiple versions of Windows 10. Upgrades can be downloaded to address the vulnerability.

Critical RCE vulnerabilities

In addition, Microsoft also addressed 7 separate Critical RCE vulnerabilities in multiple versions of Windows 10, Windows 11, Windows Server (multiple), Microsoft 4K Wireless Display Adapter, Microsoft Defender for IoT, Office app and Visual Studio Code WSL Extension products. Patches were also made available for older versions of Windows (versions 7 and 8.1).

The Critical RCE patches are summarized below:

1. CVE-2021-42310: Microsoft Defender for IoT Remote Code Execution Vulnerability
2. CVE-2021-43215: iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
3. CVE-2021-43217: Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
4. CVE-2021-43233: Remote Desktop Client Remote Code Execution Vulnerability
5. CVE-2021-43899: Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
6. CVE-2021-43905: Microsoft Office app Remote Code Execution Vulnerability
7. CVE-2021-43907: Visual Studio Code WSL Extension Remote Code Execution Vulnerability.

Microsoft said none of these RCE vulnerabilities had known exploits at the time of the initial publication.

Other security updates

In addition to the Critical RCEs and zero-day fixes, Microsoft also patched an additional 65 other vulnerabilities across multiple products.

On a related note, researchers have also discovered a Critical 0-day vulnerability in Apache Log4j logging utility that can result in remote code execution (RCE). Apache has issued security update to address the vulnerability.

Finally, readers can review the December 2021 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.

Related Articles

• Security experts see sharp increase in the Emotet botnet activity
• CISA warns of increased Emotet malware attacks
• Emotet malware threat re-emerges with new features
• Microsoft: Nobelium cybergang deploys FoggyWeb backdoor to target AD FS servers
• Microsoft issues new guidance on OMI vulnerabilities within Azure VM Management extensions
• Microsoft issues guidance on mitigating PetitPotam NTLM relay attacks
• Microsoft issues workaround for zero-day ‘SeriousSAM’ vulnerability
• Zloader trojan bypasses Microsoft Office malware-protection defenses
• Microsoft patches PrintNightmare vulnerability
• Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’