By Jon Munshaw and Tiago Pereira.
Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.
November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 50 vulnerabilities fixed today are considered “important.”
CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been spotted being exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines.
In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim. One critical vulnerability we would like to highlight is CVE-2021-38666, a remote code execution vulnerability in Remote Desktop Client. An attacker with control of a Remote Desktop Server could exploit this vulnerability to trigger remote code execution on the client machine if they trick a victim into connecting to the attacker-controlled server running a vulnerable version of the Remote Desktop Client. Because of this, there are limited cases where the vulnerability could be exploited. However, this issue should not be ignored, as there are specific circumstances in which this vulnerability could be used to obtain further privileges or for lateral movement.
Another code execution vulnerability (CVE-2021-42298) exists in Windows Defender, the free anti-virus service pre-installed on all Windows desktop devices. A specially crafted file could trigger execution when it’s scanned by Windows Defender or opened by the user. This is a very efficient way for an attacker to potentially infect a remote system where a malicious file is delivered, such as through email or instant messaging apps.
It’s also worth noting CVE-2021-26443, a code execution vulnerability in Microsoft Virtual Machine Bus that has a CVSS severity score of 9 out of 10. This vulnerability could allow command execution by a guest VM on a host VM, resulting in an escalation of privileges. This vulnerability is critical in certain environments that make use of untrusted Microsoft Virtual Machines.
Talos also discovered multiple vulnerabilities in Azure Sphere that Microsoft patched over the past few months, including four disclosed today. Some of them did not receive official patches nor assigned CVEs. For more on this, read our full blog post here.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58519, 58520, 58539 - 58541. There is also Snort 3 rule 300054.