Multiple security vulnerabilities have been addressed in the recent Microsoft Patch Tuesday updates. This updates deals with but not limited to actively exploited flaw that is being abused to deliver Emotet, TrickBot or Bazaloader malware payloads.
This release fixes a total of 67 flaws bringing the total number of bugs patched by the company this year to 887. Seven of the 67 flaws are rated Critical and 60 rated as Important in severity. Worthy of note is the addition to the 21 flaws resolved in the Chromium-based Microsoft Edge Browser.
The CVE-2021-43890 (CVSS score: 7.1) is the most critical of the lot. It is a Windows ApppX installer spoofing vulnerability that Microsoft said could be exploited to achieve arbitrary code execution. The lower rating of its severity is as a result of the fact that code execution hinges on the logged-on user level, meaning “user account are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The flaw could be leveraged by the crafting of a malicious attachment that is then used as part of a phishing campaign to trick recipients into opening the email attachment. Sophos security researchers Andrew Brandt as well as Rick Cole and Nick Carr of the Microsoft Threat Intelligence Center (MSTIC), have been credited with reporting the vulnerability.
Other flaws that are publicly known are below —
CVE-2021-43240 (CVSS score: 7.8) – NTFS Set Short Name Elevation of Privilege Vulnerability
CVE-2021-43883 (CVSS score: 7.8) – Windows Installer Elevation of Privilege Vulnerability
CVE-2021-41333 (CVSS score: 7.8) – Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2021-43893 (CVSS score: 7.5) – Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
CVE-2021-43880 (CVSS score: 5.5) – Windows Mobile Device Management Elevation of Privilege Vulnerability
The December patch also comes with remediations for 10 remote code execution flaws in Defender for IoT, in addition to critical bugs affecting iSNS Server (CVE-2021-43215), 4K Wireless Display Adapter (CVE-2021-43899), Visual Studio Code WSL Extension (CVE-2021-43907), Office app (CVE-2021-43905), Windows Encrypting File System (CVE-2021-43217), Remote Desktop Client (CVE-2021-43233), and SharePoint Server (CVE-2021-42309).