It is time for Patch Tuesday once again. I am just diving into this round of patches, but I feel very confident that nothing we find will be worse than the Log4j vulnerability that was discovered on Friday. Looking at the quick breakdown, it looks like we have 67 exploits patched, with seven of them being critical. Six are already known to the public, with one that is already exploited. This is far from ideal, but luckily after the fallout of trying to handle Log4j, we are all dead inside so it barely even registers. Holidays are here, so I am sure things will calm down soon!
Some highlights (or lowlights)
CVE-2021-43890: This one is both publicly disclosed and actively being exploited, so while it is far from the most critical it is still worth highlighting. This CVE is a spoofing vulnerability that allows an attacker to craft a malicious attachment that will let malware be installed on a computer. It requires user interaction, which means this attack is usually successful by phishing. Luckily, all end users have taken our training and would never click on a suspicious link….but to be safe it is wise to update the update installer for your users.
CVE-2021-43899: This is one of the highest-rated vulnerabilities coming in at 9.8. This vulnerability allows an attacker on the same network as a Microsoft 4k Display adapter to execute code without authenticating. Resolving this will be a bit more complicated, you need to log onto a system connected to the display adapter and install the Microsoft Display Adapter app. After you complete that, you can access the Update & Security windows and download the latest firmware. If you are using these adapters in your environment I would jump on this right away.
CVE-2021-43907: This is another of the 9.8 rated exploits. This is an exploit for Visual Studio code impacting the Windows Subsystem for Linux extension. This exploit allows an attacker to execute code without authenticating, and with no user interaction. This extension is not likely to be used by any of your regular end-users, but I think it is a safe bet your DevOps has if you have both Windows and Linux in your environment.
Wrapping up
December is definitely going out with a bang. On top of a very rare 10.0 exploit that was discovered right before Patch Tuesday, we have three 9.8 rated exploits. That makes four extreme risk exploits that need patching. Making matters worse, two of those can’t be directly patched through regular means. Since we are going to be spending so much extra time this month tracking down compromised Java libraries and updating firmware, shouldn’t we make sure the other 66 exploits will be patched with as little work as possible? PDQ Deploy and PDQ Inventory can handle your patching and remediation with regular updates, so you can focus on those special holiday exploits!