December 2021 Patch Tuesday: AppX Installer Zero-day, Multiple Critical Vulnerabilities

It’s the last Patch Tuesday update of 2021, and as with many other updates this year, this month’s list includes important ones — among them a zero-day (CVE-2021-43890 in AppX installer), multiple critical vulnerabilities and a variety of attack types utilized in several Microsoft product families — highlighting once again that patching and prioritization are prominent programs SecOps staff must regularly implement to keep adversaries from infiltrating their organizations’ environments. 

New Patches for 67 Vulnerabilities

December 2021’s Patch Tuesday covers fixes for 67 vulnerabilities. The attack-type impact resembles closely the impact we saw in September’s Patch Tuesday update, with remote code execution, privilege elevation and information disclosure dominating the attack types. While the overall quantity of updates offered by Microsoft is higher than last month, the number of updates throughout 2021 have been consistently low. Out-of-band updates have been pushed however, as adversaries continue to consistently take advantage of various weaknesses throughout Microsoft products.

Figure 1. Breakdown of December’s Patch Tuesday attack impact

Figure 2. September’s Patch Tuesday Breakdown of Risk Analysis

When examining patches according to product family, we see that Windows and Extended Security Updates (ESU) still have the same amount of focus, receiving most of this month’s updates. The System Center (products including Configuration Manager, Service Manager, Endpoint Protection and Orchestrator, among others) is a product area we see receiving more patches this month compared to last month: 10 updates vs. only one update released in November. Outside of the critical and zero-day vulnerabilities, if your organization uses products within these families, you should consider adjusting your organization’s prioritization schedule to include patches for these products.

Figure 2. Patches by Product Family

Zero-Day Vulnerability — CVE-2021-43890

Another actively exploited vulnerability, CVE-2021-43890, affects AppX Installer in Microsoft Windows. An attacker is able to exploit this vulnerability through “spoofing” — the crafting of a malicious attachment to be used in a phishing campaign. After convincing a user to open the attachment, the attacker could gain access to the system. Those users with admin rights would be at greater risk than those with few rights.

Microsoft Sharepoint Receives Updates for Multiple Vulnerabilities

This month, four different CVEs affecting Microsoft Sharepoint 2019 have received patches. IT staff seeking to properly update Sharepoint instances will need to apply more than one patch to cover all related vulnerabilities reported this month.

Rank CVSS Score CVE Description
Important 7.2 CVE-2021-42294 Remote Code Execution
Important 8.8 CVE-2021-42309 Remote Code Execution
Important 7.6 CVE-2021-43242 Spoofing
Important 8 CVE-2021-42320 Spoofing

A Variety of Attack Types Utilized for December’s Critical Vulnerabilities

CVE-2021-41333: A privilege escalation vulnerability which occurs in Windows Print Spooler. This vulnerability adds to an already existing set of vulnerabilities reported starting in July 2021. The PrintNightmare vulnerabilities were among those related to the Print Spooler Service, affecting many organizations, forcing them to disable the service altogether until a fully formed patch was released. 

CVE-2021-43215: An Internet Storage Name Service (iSNS) vulnerability found in the iSNS protocol. This protocol manages an iSNS server, providing a registration function to allow all entities in a storage network to register and query the iSNS database. To take advantage of this vulnerability an attacker can send a specially crafted request to iSNS that could result in remote code execution. Microsoft has applied a CVSS score of 9.8 to this vulnerability and labeled it as Critical, having deemed “exploitation most likely” for this vulnerability.

CVE-2021-43899: A vulnerability within Microsoft’s 4K Wireless Display Adapter could allow remote code execution. This flaw could allow an unauthenticated attacker to execute their code on an affected device, if the attacker is able to send specially crafted packets on the same network to the device. When patching, IT staff need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. From there, staff can access the “Update & Security” section of the app to download the latest firmware for mitigation.

CVE-2021-43907: This vulnerability affects the Visual Studio Code in the Windows Subsystem for Linux (WSL). A WSL extension in Visual Code lets a user run a Linux environment, command-line tools and applications directly on Windows, without the overhead of a traditional virtual machine or dual boot setup. An attacker is able to exploit this vulnerability with no privileges required and could carry out remote code execution on the WSL extension. 

CVE-2021-43905: This is a vulnerability occurring within Microsoft Office applications that an attacker can take advantage of through remote code execution. Microsoft has assigned a score of 9.6 for this CVE. Because this application is widely used by organizations, it has also been given the designation of “exploitation more likely.” SecOps should consider prioritizing patching this vulnerability.

Rank CVSS Score CVE Description
Important 7.8 CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability
Important 7.1 CVE-2021-43890 Windows AppX Installer Spoofing Vulnerability
Critical 9.8 CVE-2021-43215 iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
Critical 9.8 CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability.
Critical 9.8 CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability
Critical 9.6 CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability

Another Critical Vulnerability to Consider

CVE-2021-43233: This is a lower-scored vulnerability — with a CVSS score of 7.5 — but one to consider including in your organization’s patching schedule this month. This vulnerability enables attackers to access Windows Remote Desktop Client (RDP) via remote code execution. RDP Protocol is a common vector for adversaries. Microsoft has flagged this vulnerability as Critical. CrowdStike encourages IT staff to mitigate this vulnerability before attackers start to leverage this flaw. 

Additionally, Microsoft has provided 10 patches for Microsoft Defender for IOT this month. Of these 10 patches, one is labeled as Critical, with the other nine classified as Important. Adversaries utilize remote code execution and privilege escalation to gain access to these vulnerabilities. Consider these vulnerabilities and determine where they fall within your organization’s prioritization schedule.  

Patching and Speedy Mitigation is Still Vital 

Identifying, patching and mitigating critical vulnerabilities, along with performing regular maintenance on these programs, is critically important for organizations to keep a secure posture. Gaining robust visibility into all the vulnerabilities that can affect an organization’s environments can be daunting — unless you have the right tools. With Falcon Spotlight, IT staff gain not only required visibility, but also tools to more efficiently see flaws within their systems. With features like an ever-adapting machine learning model to identify the constant changes to vulnerability information, staff can more accurately prioritize those vulnerabilities that will specifically affect their systems. 

Learn More

Watch this video on Falcon Spotlight vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources 

Related Content