By Jon Munshaw, with contributions from Holger Unterbrink.
Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.
CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here.
Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to mitigate this attack. There are only three other critical vulnerabilities included in this release, and the remainder are “important” outside of two vulnerabilities of “moderate” severity.
Many of the other vulnerabilities disclosed this month exist in Google Chromium and have already been patched and disclosed. However, the vulnerabilities affect Microsoft Edge which is based on Chromium, so Microsoft has listed them for documentation purposes.
The most serious vulnerability is CVE-2021-36965, a remote code execution vulnerability in Windows WLAN. This vulnerability has a severity score of 8.8 out of a possible 10, the same score as CVE-2021-40444.
Aside from the aforementioned MSHTML exploit, another critical vulnerability exists in the Windows scripting engine. CVE-2021-26435 could allow an attacker to corrupt memory on the victim machine by tricking the user into opening a specially crafted file or visiting a website containing an attacker-create file designed to exploit this vulnerability.
The remaining critical vulnerability is a remote code execution vulnerability in the Open Management Infrastructure — CVE-2021-38647.
Talos researchers discovered one of the important vulnerabilities: CVE-2021-36956, an information disclosure vulnerability in Azure Sphere. You can read more about this issue in our full vulnerability advisory. We will be discussing the full breadth of our research into Azure Sphere in a future post.
We would also like to highlight CVE-2021-36955, an elevation of privilege vulnerability in the Windows Common Log File System. Microsoft warned that this vulnerability has a “low" attack complexity and considers it "more likely" to be exploited.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 58120 - 58129, 58132 - 58137, 58140 and 58141.