On Patch Tues., Microsoft fixed 66 CVEs, including an RCE bug in MSHTML under active attack as threat players passed around guides for the simple exploit.
In Sept’s Patch Tues. crop of security fixes, Microsoft released patches for 66 CVEs, 3 of which are rated critical, & 1 of which – the Windows MSHTML zero-day – has been under active attack for nearly 2 weeks.
One other bug is listed as publicly known but isn’t yet being exploited. Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, observed that with only 1 CVE under active attack in the wild, it’s “quite a light Patch Tues.” – at least it seems.
The flaws were found in Microsoft Windows & Windows components, Microsoft Edge (Chromium, iOS, & Android), Azure, Office & Office Components, SharePoint Server, Microsoft Windows DNS & the Windows Subsystem for Linux.
Of the 66 new CVEs patched this week, 3 are rated critical, 62 are rated important, & 1 is rated moderate in severity.
Over the past 9 months of 2021, this is the 7th month in which Microsoft patched fewer than 100 CVEs, in stark contrast to 2020, when Redmond spent 8 months gushing out more than 100 CVE patches per month. But whilst the overall number of vulnerabilities is lighter, the severity ratings have increased, as the Zero Day Initiative noted.
Some observers pegged the top patching priority in this month’s batch as being a fix for CVE-2021-40444: An important-rated vulnerability in Microsoft’s MSHTML Trident engine that rates 8.8 out of 10 on the CVSS scale.
Disclosed on Sept. 7, it’s a painful problem, given that researchers developed several proof-of-concept (PoC) exploits showing how very simple it is to exploit, & attackers have been sharing guides on how to do just that.
It’s been nearly 2 weeks since this serious, simple to exploit bug has been under active attack, & it’s been nearly a week since attackers started to share blueprints on how to carry out an exploit.
Microsoft commented last week that the flaw could let an attacker “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” after which “the attacker would then have to convince the user to open the malicious document.”
Unfortunately, malicious macro attacks continue to be common: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings & deliver the ZLoader trojan.
Microsoft Office Document
An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.
Satnam Narang, Staff Research Engineer at Tenable, noted via email that there have been warnings that this vulnerability will be incorporated into malware payloads & used to distribute ransomware: A solid reason to put the patch at the top of your priority list.
“There are no indications that this has happened yet, but with the patch now available, organisations should prioritise updating their systems as soon as possible,” Narang explained.
Last Wed., Sept. 8, Kevin Beaumont – Head of the Security Operations Centre for UK fashion retailer Arcadia Group & a past senior threat intelligence analyst at Microsoft – noted that the exploit had been in the wild for about a week or more.
It got worse: Last Thurs., Sept. 9, threat players began sharing exploit how-tos & PoCs for the Windows MSHTML zero-day. Bleeping Computer gave it a try & found that the guides are “simple to follow & allow anyone to create their own working version” of the exploit, “including a Python server to distribute the malicious documents & CAB files.”
It took the publication only 15 minutes to recreate the exploit.
Remote-Code Execution (RCE)
A week ago, on Tues., Sept. 7, Microsoft & the US Cybersecurity & Infrastructure Security Agency (CISA) had urged mitigations of the remote-code execution (RCE) flaw, which is found in all modern Windows operating systems.
Last week, the company didn’t say much about the bug in MSHTML, aka Trident, which is the HTML engine built into Windows since Internet Explorer debuted more than 20 years ago & which allows Windows to read & display HTML files.
Microsoft did say, however, that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.
Despite there being no security updates available for the vulnerability at that time, MIcrosoft disclosed it, along with mitigations meant to help prevent exploitation.
Mitigations That Don’t
Tracked as CVE-2021-40444, the flaw is serious enough that CISA sent its own advisory, alerting users & administrators & recommending that they use the mitigations & workarounds Microsoft recommended – mitigations that try to prevent exploitation by blocking ActiveX controls & Word/RTF document previews in Windows Explorer.
Emphasis on “try to:” Unfortunately, those mitigations proved to be less than fool proof, as researchers, including Beaumont, managed to modify the exploit so that it didn’t use ActiveX, effectively skirting Microsoft’s mitigations.
Zero Day Initiative
The Zero Day Initiative said that for now, the most-effective defence is “to apply the patch & avoid Office docs you aren’t expecting to receive.”
Be sure to carefully review and install all the needed patches for your setup: There’s a long list of updates for specific platforms, & it’s important not to slather on too thin a layer of protection.
Credit for finding this bug goes to Rick Cole of MSTIC; Bryce Abdo, Dhanesh Kizhakkinan & Genwei Jiang, all from Mandiant; & Haifei Li of EXPMON.
Bad Bug Award
The award for ‘baddest bug’ – or at least, the 1 with the highest severity rating, with a CVSS score of 9.8 – goes to CVE-2021-38647: a critical remote-code execution (RCE) vulnerability in Open Management Infrastructure.
“This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system,” the Zero Day Initiative explained. That makes it high priority: ZDI recommended that OMI users test & deploy this one quickly.
More Print Nightmare Patches
These are the 3 latest fixes in a steady stream of patches for flaws in Windows Print Spooler that followed the disclosure of Print Nightmare in June. This probably won’t be the last patch in that set: Tenable’s Narang outloned that “researchers continue to discover ways to exploit Print Spooler” & that the firm expects “continued research in this area.”
Only 1 – CVE-2021-38671 – of today’s patch trio is rated as “exploitation more likely.” Regardless, organisations should prioritise patching these flaws as “they are extremely valuable to attackers in post-exploitation scenarios,” Narang observed.
‘Exploitation More Likely’
Immersive’s Breen stated that a trio of local privilege-escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) are also of note, all of them being listed as “exploitation more likely.”
“Local priv-esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access,” Breen explained. “This allows them to disable antivirus, delete backups & ensure their encryptors can reach even the most sensitive of files.”
One obvious example of that emerged in May, when 100s of millions of Dell users were found to be at risk from kernel-privilege bugs. The bugs were undisclosed for 12 years, & could have allowed attackers to bypass security products, execute code & pivot to other parts of the network for lateral movement.
The 3 exploits Microsoft patched on Tues. aren’t remote, meaning that attackers need to have achieved code execution by other means. One such way would be via CVE-2021-40444.
2 other vulnerabilities – CVE-2021-38639 & CVE-2021-36975, both Win32k escalation of privilege flaws – have also been listed as “exploitation more likely” &, together, cover the full range of supported Windows versions.
Breen observed that he’s starting to feel ‘like a broken record’ when it comes to privilege escalation vulnerabilities. They’re not rated as high a severity risk as RCE bugs, but “these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker,” he asserted.
“If you can block them here you have the potential to significantly limit their damage.”
He added, “If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I will argue that patching priv-esc vulnerabilities is even more important than patching some other remote code-execution vulns,” Breen outlined.
This RCE Is Pretty Important
Danny Kim, a Principal Architect at Virsec who spent time at Microsoft during his graduate work on the OS security development team, wants security teams to pay attention to CVE-2021-36965 – an important-rated Windows WLAN AutoConfig Service RCE vulnerability – given its combination of severity (with a CVSS:3.0 base score of 8.8); no requirement for privilege escalation/user interaction to exploit; & breadth of affected Windows versions.
The WLAN AutoConfig Service is part of the mechanism that Windows 10 uses to choose the wireless network a computer will connect to, & to the Windows Scripting Engine, respectively.
Fixes a Flaw
The patch fixes a flaw that could allow network-adjacent attackers to run their code on affected systems at system level.
As the Zero Day Initiative explained, that means an attacker could “completely take over the target provided they are on an adjacent network.” That would come in quite useful in a coffee-shop attack, where multiple people use an unsecured Wi-Fi network.
This one “is especially alarming,” Kim warned: Think SolarWinds & Print Nightmare.
“As recent trends have shown, remote code execution-based attacks are the most critical vulnerabilities that can lead to the largest negative impact on an enterprise, as we have seen in the SolarWinds & Print Nightmare attacks,” he explained.
Kim observed that despite the exploit code maturity being currently unproven, the vulnerability has been confirmed to exist, leaving an opening for attackers.
“It specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker’s end goal,” he predicted.
Remote Code Execution
“Remote code execution attacks can lead to unverified processes running on the server workload, only highlighting the need for constant, deterministic runtime monitoring. Without this protection in place, RCE attacks can lead to a total loss of confidentiality & integrity of an enterprise’s data.”
The Zero Day Initiative also found this one alarming. Even though it requires proximity to a target, it requires no privileges or user interaction, so “don’t let the adjacent aspect of this bug diminish the severity,” it stated. “Definitely test & deploy this patch quickly.”
Don’t Forget to Patch Chrome
Breen observed that security teams should also pay attention to 25 vulnerabilities patched in Chrome & ported over to Microsoft’s Chromium-based Edge.
Browsers are, after all, windows into things both private, sensitive & valuable to criminals, he commented.
Up to Date
“I cannot underestimate the importance of patching your browsers & keeping them up to date,” he stressed.
“After all, browsers are the way we interact with the internet & web-based services that contain all sorts of highly sensitive, valuable & private information.
Whether you’re thinking about your online banking, or the data collected & stored by your organisation’s web apps, they could all be exposed by attacks that exploit the browser” he concluded.