In a series of security patches released on Patch Tuesday in September, Microsoft released patches for 66 CVEs, three of which were classified as critical in Microsoft’s four-tier system, and one of these three was named The zero-day vulnerability in Windows MSHTML has been under active attack for nearly two weeks.
Another bug is listed as publicly known but not yet exploited. Kevin Breen, director of cyber threat research at Immersive Labs, observed that only one CVE was actively attacked in the wild.
The vulnerabilities exist in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and Windows Subsystem for Linux.
Of the 66 new CVEs patched this time, three were rated Critical, 62 were rated Important, and one was rated Moderate.
This is the 7th time Microsoft has patched fewer than 100 CVE patches in the past 9 months of 2021, in stark contrast to 2020, when Redmond took 8 months to release more than 100 CVE patches per month A CVE patch. However, as noted by the Zero-Day Program, while the overall number of vulnerabilities is lower, the severity rating has risen.
Some observers believe that the highest priority for this month’s patch is to fix cve-2020-40444: a critical vulnerability in Microsoft’s MSHTML (Trident) engine, which has a score of 8.8 out of 10 on the CVSS scale.
In a Sept. 7 disclosure, researchers developed a number of proof-of-concept (PoC) exploits that show how easy it is to exploit, and attackers have been sharing guidance on exploitation.
Under active attack: CVE-2021-40444
It’s been nearly two weeks since this serious, easy-to-exploit vulnerability was actively attacked, and it’s been nearly a week since attackers shared a blueprint for executing the exploit.
Microsoft said last week that the flaw could allow an attacker to “craft a malicious ActiveX control for use by a Microsoft Office document that hosts the browser’s rendering engine,” and then “the attacker would have to convince the user to open the malicious document.” Unfortunately, malicious macro attacks Continues to prevail: In July, for example, longtime users of Microsoft Excel were targeted by a malware campaign that used a new malware obfuscation technique to disable malicious macro warnings and spread the ZLoader Trojan.
An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.
Satnam Narang, a research engineer at Tenable, noted via email that there are warnings that this vulnerability will be incorporated into a malware payload and used to spread ransomware: there are good reasons to put the patch at the top of the priority list.
Narang told Threatpost: “There is no indication that this has happened yet, but with the patch being released, organizations should prioritize updating their systems as soon as possible.”
Last Wednesday, September 8, Kevin Beaumont, head of the security operations center at British fashion retailer Arcadia Group and a former senior threat intelligence analyst at Microsoft, pointed out that the vulnerability has been around for about a week or more.
To make matters worse, last Thursday, September 9th, threat actors started sharing Windows MSHTML 0day exploits and PoCs. BleepingComputer gave it a try and found the guides “easy to follow and allow anyone to create their own version of the exploit” and “include a Python server for distributing malicious documents and CAB files.”
The publication took 15 minutes to recreate the exploit.
A week ago, on Tuesday, September 7, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) urged mitigation of the remote code execution (RCE) vulnerability, which exists in all modern Windows operating systems.
Last week, the company didn’t mention much about the vulnerability in MSHTML (aka Trident), the HTML engine built into Windows since Internet Explorer’s debut more than 20 years ago that allows Windows to read and Display HTML files.
However, Microsoft did say it was aware of targeted attacks attempting to exploit it through specially crafted Microsoft Office documents.
Although no security updates for the vulnerability were available at the time, MIcrosoft continued to disclose it and released mitigations designed to help prevent exploitation of the vulnerability.
Unrelieved mitigation measures
The vulnerability, tracked as CVE-2021-40444, is severe enough for CISA to send an advisory to alert users and administrators, and advise them to use Microsoft-recommended mitigations and workarounds — mitigations attempted to pass in Windows Explorer.
Unfortunately, these mitigations proved not foolproof, as researchers including Beaumont managed to modify the exploit to not use ActiveX, effectively bypassing Microsoft’s mitigations.
The Zero Day Initiative says the most effective defense right now is “applying patches and avoiding Office documents you don’t want to receive.”
Be sure to double-check and install all the patches you need for your setup: there’s a long list of updates for specific platforms, don’t let your layer of protection be too thin.
The discovery of this bug is credited to Rick Cole from MSTIC; Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang from Mandiant and Haifei Li from EXPMON.
most serious bug
CVE-2021-38647: A high-severity remote code execution (RCE) vulnerability in an open management infrastructure, the most severe bug—or at least the bug with the highest severity rating, has a CVSS score of 9.8.
OMI: An open source project aimed at further developing production-quality implementations of the DMTF CIM/WBEM standard.
“This vulnerability does not require user interaction or permissions, so attackers can simply send a specially crafted message to the compromised system to run their code on the compromised system,” explains Zero Day Initiave. This makes it a high priority Level: ZDI recommends OMI users to quickly test and deploy it.
And more PrintNightmare patches
Microsoft also patched three privilege escalation vulnerabilities in Windows Print Spooler (CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447), all rated as important.
These are the latest three in a series of patches for Windows print spooler flaws following the disclosure of PrintMonthmary in June. This probably won’t be the last patch in the parade: Tenable’s Narang told Threatpost that “researchers continue to find ways to exploit the Print Spooler” and that the company hopes to “continue research in this area.”
Of the three patches issued today, only one, CVE-2021-38671, was rated as “more likely to be exploited.” Regardless, organizations should prioritize patching these flaws because “they are very valuable to attackers in the post-exploitation stage.”
More “more likely to be exploited”
Immersive’s Breen told Threatpost that three local elevation of privilege vulnerabilities (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) in the Windows Universal Journaling Filesystem driver are also of note, all listed as ” more likely to be exploited.”
“Local priv-esc vulnerabilities are a critical component of nearly all successful cyberattacks, especially for those such as ransomware operators who abuse such vulnerabilities to gain the highest levels of access,” Brin said via email. They were able to disable antivirus, delete backups, and ensure their encryption programs had access to the most sensitive files.”
A clear example came in May, when hundreds of millions of Dell users were found to be at risk from a kernel privilege vulnerability. The vulnerabilities, lurking undisclosed for 12 years, could allow attackers to bypass security products, execute code and move laterally to other parts of the network.
The three vulnerabilities Microsoft patched on Tuesday are not out of reach, meaning attackers would need other means to achieve code execution. One way is through CVE-2021-40444.
Two other vulnerabilities — CVE-2021-38639 and CVE-2021-36975, both Win32k privilege escalation flaws — are also listed as “more likely to be exploited” and cover all supported versions of Windows.
The severity risk of privilege escalation vulnerabilities is not as high as that of RCE vulnerabilities, Breen said, but “these local vulnerabilities can be critical for an experienced attacker in the post-exploitation phase.” “If you can stop them here, you have the potential to be significantly limit their damage.”
He added, “If we assume a determined attacker is able to infect a victim’s device through social engineering or other techniques, I think patching the priv-esc vulnerability is even more important than patching some other remote code execution vulnerability.”
RCE is also important
Danny Kim, chief architect at Virsec, who worked at Microsoft while graduating from Microsoft’s OS security development team, wants the security team to focus on CVE-2021-36965 – a critical Windows WLAN auto-configuration service RCE vulnerability – — Given its combination of severity (CVSS: 3.0 base score of 8.8), exploitable without privilege elevation/user interaction, and the range of Windows versions affected.
The Wi-Fi Auto Configuration service is part of the mechanism that Windows 10 uses to select the wireless network and the Windows scripting engine that the computer will connect to, respectively.
The patch fixes a flaw that could allow attackers in proximity to the network to run their code on the affected system at the system level.
As the Zero Day Initiative explains, this means that attackers can “completely take over the target—as long as they’re on adjacent networks.” This would come in handy in coffee-shop attacks, where it’s not safe for multiple people to use Wi-Fi network.
It was “particularly shocking,” Kim said. “Think SolarWinds and PrintNightmare.”
“Recent trends suggest that remote code execution-based attacks are the most critical vulnerabilities with the greatest negative impact on enterprises, as we saw with the Solarwinds and PrintNightmare attacks,” he said in an email.
Kim said that although the maturity of the exploit code is currently unproven, the vulnerability has been confirmed to exist, leaving a hole for attackers.
“It depends on the attacker being on the same network, so it’s not surprising to see this vulnerability combined with another CVE/attack to achieve the attacker’s end goal.” “Remote code execution attacks could lead to unauthenticated of processes run on the server worker payload, which only highlights the need for continuous, deterministic runtime monitoring. Without this protection, an RCE attack could result in a complete loss of confidentiality and integrity of enterprise data.”
The Zero Day Initiative also found this worrying problem. Even though it needs to be close to the target, it doesn’t require privileges or user interaction, so “don’t let adjacent aspects of this bug reduce severity.” “Make sure to test and deploy this patch quickly.”
Don’t forget to patch Chrome
Breen told Threatpost via email that security teams should also be aware of 25 vulnerabilities in Chrome that were patched and ported to Microsoft’s Chrome-based Edge.
After all, the browser is the window into privacy, sensitive information and anything of value to criminals, he said.
“I cannot underestimate the importance of patching browsers and keeping them up to date,” he stressed. “After all, browsers are our interface with the Internet and web-based services that contain all kinds of highly sensitive, valuable, and private information. The way you interact. Whether you’re thinking about your online banking or the data your organization’s web applications collect and store, they can all be exposed by attacks that leverage browsers.”